From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 18:58:12 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2A7711C1 for ; Tue, 30 Sep 2014 18:58:12 +0000 (UTC) Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com [IPv6:2607:f8b0:4001:c05::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DAA85A84 for ; Tue, 30 Sep 2014 18:58:11 +0000 (UTC) Received: by mail-ig0-f180.google.com with SMTP id a13so6148188igq.13 for ; Tue, 30 Sep 2014 11:58:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=CjMJxlELlhiE7C0Ub1qUh3/+bfjObFPutphnfZej/ok=; b=gkaOPPBIh09K5+teiEytehXfMXYk5Z8hMKkZob59+UQ8RYLOS3lnMfdJhK3Axu93X0 hSds9PFDh5kv4lZrqj7QIjUGCFAlaxHasDmHADp3I0HtlV7Tn7XU6unUxeqeIhWVUcNU sYBoLndcTgni1q1yHcGwzF2py05Ur9iZb/4k4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=CjMJxlELlhiE7C0Ub1qUh3/+bfjObFPutphnfZej/ok=; b=Pz8ZsZXJn+guNqZD+7InNIXee0sLuO9fU5sgN6nZ5MRSzywsm52l+VXvrkMmPbRXXf K0zLd46kwlYWLLbkdVrseS5RrTKMP1OBjO5jUvH9RhQGVyTSgCMeQxsO7uZbipU0+B/H ez4Uj+I4G2LtEJHwPPFyJMPAVckXzmzlcmvLI6oRmPEiZ/jYFJYdYfxHJs8EhyAflz1f eJ+IKnnyXQYRz/nXi+q/ReOp2K5VXcv6RddC4yj66axAKA0AOQ3P9+/X07iIhZJyv9pZ jg6zvtueO4Qm2vo4XWYiUcV4Qvk33CrixKb5rbdy2fitz0QLJo6mQX4PdsWtWrzoNIF+ i4Fw== X-Gm-Message-State: ALoCoQn+JnbfUFudB9HYJtzHraXis6ldHtore2ga40NQkqHNBC3hSX0JAAozsi9al/s5ihOHmXWg X-Received: by 10.50.13.100 with SMTP id g4mr11069517igc.44.1412103491068; Tue, 30 Sep 2014 11:58:11 -0700 (PDT) Received: from [192.168.8.85] ([66.195.151.70]) by mx.google.com with ESMTPSA id ki5sm14033434igb.2.2014.09.30.11.58.09 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 30 Sep 2014 11:58:10 -0700 (PDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: bash velnerability From: Jason Hellenthal In-Reply-To: <542AFC54.9010405@FreeBSD.org> Date: Tue, 30 Sep 2014 13:58:07 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <2366B611-36BB-4543-9EEA-4777CCC9D127@dataix.net> References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> To: Jung-uk Kim X-Mailer: Apple Mail (2.1878.6) Cc: freebsd-security , freebsd-ports , Bryan Drewery X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2014 18:58:12 -0000 echo "Testing Exploit 1 (CVE-2014-6271)" CVE6271=3D"$(env x=3D'() { :;}; echo -n V' bash -c : 2>/dev/null)" [ "${CVE7187}" =3D=3D "V" ] && echo "VULNERABLE" || echo "NOT = VULNERABLE" echo "Testing Exploit 2 (CVE-2014-7169)" CVE7169=3D"$(env X=3D'() { (4lpi.com)=3D>\' bash -c "echo date" = 2>/dev/null; cat echo 2>/dev/null; rm -f echo)" [ ! "${CVE7169}" =3D=3D "date" ] && echo "VULNERABLE" || echo "NOT = VULNERABLE" echo "Testing Exploit 3 (CVE-2014-6277)" CVE6277=3D"$(env -i X=3D' () { }; echo -n V' bash -c :)" [ "${CVE6277}" =3D=3D "V" ] && echo "VULNERABLE" || echo "NOT = VULNERABLE" echo "Testing Exploit 4 (CVE-2014-7186)" CVE7186=3D"$(bash -c 'true </dev/null ||echo -n V)" [ "${CVE7186}" =3D=3D "V" ] && echo "VULNERABLE" || echo "NOT = VULNERABLE" echo "Testing Exploit 5 (CVE-2014-7187)" CVE7187=3D"$((for x in {1..200}; do echo "for x$x in ; do :"; done; for = x in {1..200}; do echo done; done) |bash 2>/dev/null ||echo -n V)" [ "${CVE7187}" =3D=3D "V" ] && echo "VULNERABLE" || echo "NOT = VULNERABLE=94 Good luck ;-) On Sep 30, 2014, at 13:54, Jung-uk Kim wrote: > On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote: >> On 9/29/2014 11:01 AM, Mike Tancsa wrote: >>> On 9/26/2014 5:01 PM, Bryan Drewery wrote: >>>> On 9/26/2014 12:41 PM, Bryan Drewery wrote: >>>>> On 9/26/2014 11:51 AM, Bryan Drewery wrote: >>>>>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >>>>>>> Apparently, the full fix is still not delivered, accordingly to = this: >>>>>>> http://seclists.org/oss-sec/2014/q3/741 >>>>>>>=20 >>>>>>> Kind regards, >>>>>>> Bartek Rutkowski >>>>>>>=20 >>>>>>=20 >>>>>> I'm pretty sure they call that a "feature". This is a bit = different. >>>>=20 >>>> I've disabled environment function importing in the port. Using >>>> --import-functions will allow it to work if you need it. >>>=20 >>> Hi Bryan, >>> With the latest ports, bashcheck still sees some issues with = bash. >>> Are these false positives on FreeBSD ? >>>=20 >>> Using >>> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >>>=20 >>> Not vulnerable to CVE-2014-6271 (original shellshock) >>> Not vulnerable to CVE-2014-7169 (taviso bug) >>> ./bashcheck: line 18: 54908 Segmentation fault (core dumped) = bash >>> -c "true $(printf '< /dev/null >>> Vulnerable to CVE-2014-7186 (redir_stack bug) >>> Test for CVE-2014-7187 not reliable without address sanitizer >>> Variable function parser inactive, likely safe from unknown parser = bugs >>>=20 >>> ---Mike >>=20 >> Yes we have not applied the RedHat fix for CVE-2014-7186 or = CVE-2014-7187. >=20 > Applying the first patch for parse.y from the following post passed = the > tests for me. >=20 > http://www.openwall.com/lists/oss-security/2014/09/25/32 >=20 > In fact, all major Linux distros seem to use it now. >=20 > FYI, >=20 > Jung-uk Kim > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" --=20 Jason Hellenthal Mobile: +1 (616) 953-0176 jhellenthal@DataIX.net JJH48-ARIN