From owner-freebsd-ports@FreeBSD.ORG  Tue Sep 30 22:29:30 2014
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C7DA6D47;
 Tue, 30 Sep 2014 22:29:30 +0000 (UTC)
Received: from mail-in6.apple.com (mail-out6.apple.com [17.151.62.28])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 95B37D17;
 Tue, 30 Sep 2014 22:29:30 +0000 (UTC)
Received: from mail-out.apple.com (crispin.apple.com [17.151.62.50])
 (using TLS with cipher RC4-MD5 (128/128 bits))
 (Client did not present a certificate)
 by mail-in6.apple.com (Apple Secure Mail Relay) with SMTP id
 03.60.24750.9CE2B245; Tue, 30 Sep 2014 15:29:29 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII
Received: from relay2.apple.com ([17.128.113.67]) by local.mail-out.apple.com
 (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct
 22 2013))
 with ESMTP id <0NCQ00GLQJSY4IL0@local.mail-out.apple.com>; Tue,
 30 Sep 2014 15:29:29 -0700 (PDT)
X-AuditID: 11973e15-f79956d0000060ae-9f-542b2ec9cc78
Received: from [17.149.232.248] (Unknown_Domain [17.149.232.248])
 (using TLS with cipher AES128-SHA (128/128 bits))
 (Client did not present a certificate)	by relay2.apple.com (Apple SCV relay)
 with SMTP id D9.11.19003.5CE2B245; Tue, 30 Sep 2014 15:29:26 -0700 (PDT)
Subject: Re: bash velnerability
From: Charles Swiger <cswiger@mac.com>
In-reply-to: <542B29C1.7010505@FreeBSD.org>
Date: Tue, 30 Sep 2014 15:29:28 -0700
Message-id: <7943146A-CB56-4744-BFB5-268B306D3738@mac.com>
References: <CAHFU5H5WOnAXuFmfQEGkTvwoECATTCC3eKYE3yts+Bqh1M_8ww@mail.gmail.com>
 <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com>
 <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org>
 <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org>
 <CAHcXP+dx2etYgQPNiAxk2P68Z-4j+bTvdMoHfz+xKsBDKh9Z9g@mail.gmail.com>
 <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org>
 <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net>
 <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org>
 <542B087D.3040903@FreeBSD.org> <CC9931CC-6BEA-4416-9546-42D6E49C1129@mac.com>
 <542B27FF.10204@sentex.net> <542B29C1.7010505@FreeBSD.org>
To: Jung-uk Kim <jkim@FreeBSD.org>
X-Mailer: Apple Mail (2.1878.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrILMWRmVeSWpSXmKPExsUiON3OSPeknnaIwYQ5AhYntnxgsdh0+C2j
 Rc+mJ2wWKz9fZXJg8ZjxaT5LAGMUl01Kak5mWWqRvl0CV8aCjR+YC9ZzVWzf84i5gXEZRxcj
 J4eEgInEiz8r2CBsMYkL99YD2VwcQgIzmST2PXnBApLgFRCU+DH5HpDNwcEsIC9x8LwsSJhZ
 QEvi+6NWFoj6JiaJaxv/sMIMXb3kDTtEop9J4tnV38wgCWGg5oaGg2wgg9gE1CQmTOQBCXMK
 aEu0TlgC1ssioCpxqPkaM0gvs8ByRoldZ+6xQhxhJdHeMZcJYuh5Vomlz44wgiREBJQkfnw9
 wg6xWV7iw4fjYJslBCaxSew/eZZ5AqPwLCRfzEL4YhaSLxYwMq9iFMpNzMzRzcwz00ssKMhJ
 1UvOz93ECAlz0R2MZ1ZZHWIU4GBU4uHlkNcKEWJNLCuuzD3EKM3BoiTOe/acZoiQQHpiSWp2
 ampBalF8UWlOavEhRiYOTqkGRv+YrWtuan9IeT1vZZ+Pn1lR1a14tsVyNw7dv9x9LfbMRNbd
 T+9Nu/bp8LkXq+tmfsy+WFU5IXGafr6f9h7GLfPLpnmGZeo2XRENvVT4Qapu0cVNqe7njuuu
 bVvstePcstqG7Uuj7h157vnE9cbTdQ22scdeKx73TFGQ6+y/ZODlN3endu5pv2wlluKMREMt
 5qLiRAAONQ1pVAIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrMLMWRmVeSWpSXmKPExsUiOPXFD91jetohBiu+8lmc2PKBxWLT4beM
 Fj2bnrBZrPx8lcli06xZ7A6sHjM+zWfxOHzrP1sAUxSXTUpqTmZZapG+XQJXxrI769kKbnJV
 LD/bx9jAeJaji5GTQ0LARGL1kjfsELaYxIV769m6GLk4hAT6mSS+/v/LBJJgFtCT2HH9FyuI
 zStgILFk1yZmEFtYQF6ioeEgUAMHB5uAmsSEiTwgYU4BbYnnjx+wgdgsAqoSh5qvMYPMZBZY
 ySjx/9cENoiZ2hLLFr5mhphpJfHywxJ2iMW7WSXO3VsFdpGIgJLEj69HoK6Tl/jw4Tj7BEb+
 WUhumoXkpllI5i5gZF7FKFCUmpNYaaSXWFCQk6qXnJ+7iREUlA2FzjsYjy2zOsQowMGoxMPL
 Ia8VIsSaWFZcmXuIUYKDWUmEd4O8dogQb0piZVVqUX58UWlOavEhRmkOFiVx3s/lKiFCAumJ
 JanZqakFqUUwWSYOTqkGxuWlU1J3rqzW4ZBZ3Bfs3MKpwBiyscZ2v9o6xc7/D+04Pz0UMwyL
 1poqav7OZ/lzSaGO7f7xotV9iruftRXv8ZDfbbaVqaJlctVfr6rL7Jfn3a48t2DGoboQr22d
 Lu5H/mTm+oet7DzB5Sl399PbkG2/zs25v19F99hVi22ae/68YVp4hu/GWyWW4oxEQy3mouJE
 ABvjoRdGAgAA
Cc: freebsd-security <freebsd-security@FreeBSD.org>,
 Bryan Drewery <bdrewery@FreeBSD.org>,
 freebsd-ports <freebsd-ports@FreeBSD.org>, Mike Tancsa <mike@sentex.net>
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Sep 2014 22:29:31 -0000

On Sep 30, 2014, at 3:08 PM, Jung-uk Kim <jkim@FreeBSD.org> wrote:
> On 2014-09-30 18:00:31 -0400, Mike Tancsa wrote:
>> On 9/30/2014 5:25 PM, Charles Swiger wrote:
>>> bash-3.2$ echo "Testing Exploit 4 (CVE-2014-7186)"
>>> Testing Exploit 4 (CVE-2014-7186)
>>> bash-3.2$ CVE7186="$(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF
>>> <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null ||echo -n
>>> V)"
>>> bash-3.2$ [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT
>>> VULNERABLE"
>>> NOT VULNERABLE
>>> 
>>> This being said, I'm not confident that there won't be further issues
>>> found with bash....
>>> 
>> 
>> What are people using to check these issues ?  I was using
>> 
>> https://github.com/hannob/bashcheck
>> 
>> Not sure if that gives false positives ?
> ...
> 
> Yes, it seems it does.
> 
> https://github.com/hannob/bashcheck/commit/5b611b36
> 
> Jung-uk Kim

Checking, and agreed.

bash -c "true $(printf '<<EOF %.0s' {1..70})" 2>/dev/null

...works OK, but this crashes with a SIGSEGV:

bash -c "true $(printf '<<EOF %.0s' {1..80})" 2>/dev/null

Seems to be blowing out a ~84K malloc buffer located just above the __TEXT page for /bin/bash; it's not blowing out the stack directly and isn't affected by changing ulimit -s.

Regards,
-- 
-Chuck