From owner-freebsd-ports@FreeBSD.ORG Wed Oct 1 03:32:32 2014 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AA7555A4 for ; Wed, 1 Oct 2014 03:32:32 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7C080FB8 for ; Wed, 1 Oct 2014 03:32:32 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id s913WWLg039194 for ; Wed, 1 Oct 2014 03:32:32 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s913WWUg039189 for freebsd-ports@freebsd.org; Wed, 1 Oct 2014 03:32:32 GMT (envelope-from bdrewery) Received: (qmail 18782 invoked from network); 30 Sep 2014 22:32:30 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 30 Sep 2014 22:32:30 -0500 Message-ID: <542B75C9.7050106@FreeBSD.org> Date: Tue, 30 Sep 2014 22:32:25 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Jung-uk Kim , Bryan Drewery , Mike Tancsa Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> In-Reply-To: <542AFC54.9010405@FreeBSD.org> OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="amBkfTpbOspVJbWlxxlajlskkTkx1KqNd" Cc: freebsd-security , freebsd-ports X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Oct 2014 03:32:32 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --amBkfTpbOspVJbWlxxlajlskkTkx1KqNd Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 9/30/2014 1:54 PM, Jung-uk Kim wrote: > On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote: >> On 9/29/2014 11:01 AM, Mike Tancsa wrote: >>> On 9/26/2014 5:01 PM, Bryan Drewery wrote: >>>> On 9/26/2014 12:41 PM, Bryan Drewery wrote: >>>>> On 9/26/2014 11:51 AM, Bryan Drewery wrote: >>>>>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >>>>>>> Apparently, the full fix is still not delivered, accordingly to t= his: >>>>>>> http://seclists.org/oss-sec/2014/q3/741 >>>>>>> >>>>>>> Kind regards, >>>>>>> Bartek Rutkowski >>>>>>> >>>>>> >>>>>> I'm pretty sure they call that a "feature". This is a bit differen= t. >>>> >>>> I've disabled environment function importing in the port. Using >>>> --import-functions will allow it to work if you need it. >>> >>> Hi Bryan, >>> With the latest ports, bashcheck still sees some issues with bash= =2E >>> Are these false positives on FreeBSD ? >>> >>> Using >>> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >>> >>> Not vulnerable to CVE-2014-6271 (original shellshock) >>> Not vulnerable to CVE-2014-7169 (taviso bug) >>> ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bas= h >>> -c "true $(printf '< /dev/null >>> Vulnerable to CVE-2014-7186 (redir_stack bug) >>> Test for CVE-2014-7187 not reliable without address sanitizer >>> Variable function parser inactive, likely safe from unknown parser bu= gs >>> >>> ---Mike >> >> Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7= 187. >=20 > Applying the first patch for parse.y from the following post passed the= > tests for me. >=20 > http://www.openwall.com/lists/oss-security/2014/09/25/32 >=20 > In fact, all major Linux distros seem to use it now. >=20 > FYI, >=20 > Jung-uk Kim For some reason the redir_stack issue is not showing up at all for me on head without the patch. It does show up on an 8.4 system of mine without the patch though. I have applied it now to the port. --=20 Regards, Bryan Drewery --amBkfTpbOspVJbWlxxlajlskkTkx1KqNd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQEcBAEBAgAGBQJUK3XJAAoJEDXXcbtuRpfPKQgH/iRF8yHFcG7VTloaK34cirlo 9L6oX9pPjT2W8dYfMeRKOIQ825RptlHyZIpzgEu1Hel1MQIsgV6y71xnMOLfYmyA leHoJRsPnTgQ+OAVkx71CRj49uoUM0Y8GHeR9nC5jlYQxlhGe1QwG7VhHUXuhnSG zMS1l7tA5yf4U6X7FTn3tay8zgJXJHeSu69KY4CSZeb6qH+pnlJXZvSWUm6EyfWp eDBKBm/dJc63MDM+POiKgfwDbb5HiLJcSsnaX+zwEr2K9nITnjQf+i219RppgXLq ucxNUB1KuWQdADMLF4TyG2pj9fJLtA/gbjFnaegqyKDHJ1uuhwBorVSXUgg92Nc= =a47H -----END PGP SIGNATURE----- --amBkfTpbOspVJbWlxxlajlskkTkx1KqNd--