From owner-freebsd-security@FreeBSD.ORG  Tue Sep 30 18:54:16 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from hammer.pct.niksun.com (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by hub.freebsd.org (Postfix) with ESMTP id 52315EE8;
 Tue, 30 Sep 2014 18:54:13 +0000 (UTC)
Message-ID: <542AFC54.9010405@FreeBSD.org>
Date: Tue, 30 Sep 2014 14:54:12 -0400
From: Jung-uk Kim <jkim@FreeBSD.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: Bryan Drewery <bdrewery@FreeBSD.org>, Mike Tancsa <mike@sentex.net>
Subject: Re: bash velnerability
References: <CAHFU5H5WOnAXuFmfQEGkTvwoECATTCC3eKYE3yts+Bqh1M_8ww@mail.gmail.com>	<00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com>	<54243F0F.6070904@FreeBSD.org>	<54244982.8010002@FreeBSD.org>	<16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu>	<542596E3.3070707@FreeBSD.org>
 <CAHcXP+dx2etYgQPNiAxk2P68Z-4j+bTvdMoHfz+xKsBDKh9Z9g@mail.gmail.com>
 <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org>
 <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net>
 <5429851B.8060500@FreeBSD.org>
In-Reply-To: <5429851B.8060500@FreeBSD.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Cc: freebsd-security <freebsd-security@freebsd.org>,
 freebsd-ports <freebsd-ports@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Sep 2014 18:54:16 -0000

On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote:
> On 9/29/2014 11:01 AM, Mike Tancsa wrote:
>> On 9/26/2014 5:01 PM, Bryan Drewery wrote:
>>> On 9/26/2014 12:41 PM, Bryan Drewery wrote:
>>>> On 9/26/2014 11:51 AM, Bryan Drewery wrote:
>>>>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
>>>>>> Apparently, the full fix is still not delivered, accordingly to this:
>>>>>> http://seclists.org/oss-sec/2014/q3/741
>>>>>>
>>>>>> Kind regards,
>>>>>> Bartek Rutkowski
>>>>>>
>>>>>
>>>>> I'm pretty sure they call that a "feature". This is a bit different.
>>>
>>> I've disabled environment function importing in the port. Using
>>> --import-functions will allow it to work if you need it.
>>
>> Hi Bryan,
>>     With the latest ports, bashcheck still sees some issues with bash.
>> Are these false positives on FreeBSD ?
>>
>> Using
>> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck
>>
>> Not vulnerable to CVE-2014-6271 (original shellshock)
>> Not vulnerable to CVE-2014-7169 (taviso bug)
>> ./bashcheck: line 18: 54908 Segmentation fault      (core dumped) bash
>> -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
>> Vulnerable to CVE-2014-7186 (redir_stack bug)
>> Test for CVE-2014-7187 not reliable without address sanitizer
>> Variable function parser inactive, likely safe from unknown parser bugs
>>
>>     ---Mike
> 
> Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187.

Applying the first patch for parse.y from the following post passed the
tests for me.

http://www.openwall.com/lists/oss-security/2014/09/25/32

In fact, all major Linux distros seem to use it now.

FYI,

Jung-uk Kim