From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 16:02:06 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B9CACC10; Mon, 29 Sep 2014 16:02:06 +0000 (UTC) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7E1B2E5C; Mon, 29 Sep 2014 16:02:06 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.9/8.14.9) with ESMTP id s8TG22Ah041229; Mon, 29 Sep 2014 12:02:02 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <54298266.1090201@sentex.net> Date: Mon, 29 Sep 2014 12:01:42 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Bryan Drewery Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> In-Reply-To: <5425D427.8090309@FreeBSD.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.74 Cc: freebsd-security , freebsd-ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2014 16:02:06 -0000 On 9/26/2014 5:01 PM, Bryan Drewery wrote: > On 9/26/2014 12:41 PM, Bryan Drewery wrote: >> On 9/26/2014 11:51 AM, Bryan Drewery wrote: >>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >>>> Apparently, the full fix is still not delivered, accordingly to this: >>>> http://seclists.org/oss-sec/2014/q3/741 >>>> >>>> Kind regards, >>>> Bartek Rutkowski >>>> >>> >>> I'm pretty sure they call that a "feature". This is a bit different. > > I've disabled environment function importing in the port. Using > --import-functions will allow it to work if you need it. Hi Bryan, With the latest ports, bashcheck still sees some issues with bash. Are these false positives on FreeBSD ? Using https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash -c "true $(printf '< /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser inactive, likely safe from unknown parser bugs ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/