From owner-freebsd-ports@FreeBSD.ORG Tue Sep 30 22:29:30 2014 Return-Path: Delivered-To: freebsd-ports@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C7DA6D47; Tue, 30 Sep 2014 22:29:30 +0000 (UTC) Received: from mail-in6.apple.com (mail-out6.apple.com [17.151.62.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 95B37D17; Tue, 30 Sep 2014 22:29:30 +0000 (UTC) Received: from mail-out.apple.com (crispin.apple.com [17.151.62.50]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by mail-in6.apple.com (Apple Secure Mail Relay) with SMTP id 03.60.24750.9CE2B245; Tue, 30 Sep 2014 15:29:29 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from relay2.apple.com ([17.128.113.67]) by local.mail-out.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTP id <0NCQ00GLQJSY4IL0@local.mail-out.apple.com>; Tue, 30 Sep 2014 15:29:29 -0700 (PDT) X-AuditID: 11973e15-f79956d0000060ae-9f-542b2ec9cc78 Received: from [17.149.232.248] (Unknown_Domain [17.149.232.248]) (using TLS with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by relay2.apple.com (Apple SCV relay) with SMTP id D9.11.19003.5CE2B245; Tue, 30 Sep 2014 15:29:26 -0700 (PDT) Subject: Re: bash velnerability From: Charles Swiger In-reply-to: <542B29C1.7010505@FreeBSD.org> Date: Tue, 30 Sep 2014 15:29:28 -0700 Message-id: <7943146A-CB56-4744-BFB5-268B306D3738@mac.com> References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> <542B087D.3040903@FreeBSD.org> <542B27FF.10204@sentex.net> <542B29C1.7010505@FreeBSD.org> To: Jung-uk Kim X-Mailer: Apple Mail (2.1878.6) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrILMWRmVeSWpSXmKPExsUiON3OSPeknnaIwYQ5AhYntnxgsdh0+C2j Rc+mJ2wWKz9fZXJg8ZjxaT5LAGMUl01Kak5mWWqRvl0CV8aCjR+YC9ZzVWzf84i5gXEZRxcj J4eEgInEiz8r2CBsMYkL99YD2VwcQgIzmST2PXnBApLgFRCU+DH5HpDNwcEsIC9x8LwsSJhZ QEvi+6NWFoj6JiaJaxv/sMIMXb3kDTtEop9J4tnV38wgCWGg5oaGg2wgg9gE1CQmTOQBCXMK aEu0TlgC1ssioCpxqPkaM0gvs8ByRoldZ+6xQhxhJdHeMZcJYuh5Vomlz44wgiREBJQkfnw9 wg6xWV7iw4fjYJslBCaxSew/eZZ5AqPwLCRfzEL4YhaSLxYwMq9iFMpNzMzRzcwz00ssKMhJ 1UvOz93ECAlz0R2MZ1ZZHWIU4GBU4uHlkNcKEWJNLCuuzD3EKM3BoiTOe/acZoiQQHpiSWp2 ampBalF8UWlOavEhRiYOTqkGRv+YrWtuan9IeT1vZZ+Pn1lR1a14tsVyNw7dv9x9LfbMRNbd T+9Nu/bp8LkXq+tmfsy+WFU5IXGafr6f9h7GLfPLpnmGZeo2XRENvVT4Qapu0cVNqe7njuuu bVvstePcstqG7Uuj7h157vnE9cbTdQ22scdeKx73TFGQ6+y/ZODlN3endu5pv2wlluKMREMt 5qLiRAAONQ1pVAIAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrMLMWRmVeSWpSXmKPExsUiOPXFD91jetohBiu+8lmc2PKBxWLT4beM Fj2bnrBZrPx8lcli06xZ7A6sHjM+zWfxOHzrP1sAUxSXTUpqTmZZapG+XQJXxrI769kKbnJV LD/bx9jAeJaji5GTQ0LARGL1kjfsELaYxIV769m6GLk4hAT6mSS+/v/LBJJgFtCT2HH9FyuI zStgILFk1yZmEFtYQF6ioeEgUAMHB5uAmsSEiTwgYU4BbYnnjx+wgdgsAqoSh5qvMYPMZBZY ySjx/9cENoiZ2hLLFr5mhphpJfHywxJ2iMW7WSXO3VsFdpGIgJLEj69HoK6Tl/jw4Tj7BEb+ WUhumoXkpllI5i5gZF7FKFCUmpNYaaSXWFCQk6qXnJ+7iREUlA2FzjsYjy2zOsQowMGoxMPL Ia8VIsSaWFZcmXuIUYKDWUmEd4O8dogQb0piZVVqUX58UWlOavEhRmkOFiVx3s/lKiFCAumJ JanZqakFqUUwWSYOTqkGxuWlU1J3rqzW4ZBZ3Bfs3MKpwBiyscZ2v9o6xc7/D+04Pz0UMwyL 1poqav7OZ/lzSaGO7f7xotV9iruftRXv8ZDfbbaVqaJlctVfr6rL7Jfn3a48t2DGoboQr22d Lu5H/mTm+oet7DzB5Sl399PbkG2/zs25v19F99hVi22ae/68YVp4hu/GWyWW4oxEQy3mouJE ABvjoRdGAgAA Cc: freebsd-security , Bryan Drewery , freebsd-ports , Mike Tancsa X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2014 22:29:31 -0000 On Sep 30, 2014, at 3:08 PM, Jung-uk Kim wrote: > On 2014-09-30 18:00:31 -0400, Mike Tancsa wrote: >> On 9/30/2014 5:25 PM, Charles Swiger wrote: >>> bash-3.2$ echo "Testing Exploit 4 (CVE-2014-7186)" >>> Testing Exploit 4 (CVE-2014-7186) >>> bash-3.2$ CVE7186="$(bash -c 'true <>> </dev/null ||echo -n >>> V)" >>> bash-3.2$ [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT >>> VULNERABLE" >>> NOT VULNERABLE >>> >>> This being said, I'm not confident that there won't be further issues >>> found with bash.... >>> >> >> What are people using to check these issues ? I was using >> >> https://github.com/hannob/bashcheck >> >> Not sure if that gives false positives ? > ... > > Yes, it seems it does. > > https://github.com/hannob/bashcheck/commit/5b611b36 > > Jung-uk Kim Checking, and agreed. bash -c "true $(printf '</dev/null ...works OK, but this crashes with a SIGSEGV: bash -c "true $(printf '</dev/null Seems to be blowing out a ~84K malloc buffer located just above the __TEXT page for /bin/bash; it's not blowing out the stack directly and isn't affected by changing ulimit -s. Regards, -- -Chuck