From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 19:59:06 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hammer.pct.niksun.com (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by hub.freebsd.org (Postfix) with ESMTP id 7AF3A2A4; Tue, 30 Sep 2014 19:58:59 +0000 (UTC) Message-ID: <542B0B82.3020201@FreeBSD.org> Date: Tue, 30 Sep 2014 15:58:58 -0400 From: Jung-uk Kim User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Jason Hellenthal Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> <2366B611-36BB-4543-9EEA-4777CCC9D127@dataix.net> In-Reply-To: <2366B611-36BB-4543-9EEA-4777CCC9D127@dataix.net> Content-Type: multipart/mixed; boundary="------------040100080403030600080603" Cc: freebsd-security , Bryan Drewery , freebsd-ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2014 19:59:06 -0000 This is a multi-part message in MIME format. --------------040100080403030600080603 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit On 2014-09-30 14:58:07 -0400, Jason Hellenthal wrote: > echo "Testing Exploit 1 (CVE-2014-6271)" > CVE6271="$(env x='() { :;}; echo -n V' bash -c : 2>/dev/null)" > [ "${CVE7187}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE" > > echo "Testing Exploit 2 (CVE-2014-7169)" > CVE7169="$(env X='() { (4lpi.com)=>\' bash -c "echo date" 2>/dev/null; cat echo 2>/dev/null; rm -f echo)" > [ ! "${CVE7169}" == "date" ] && echo "VULNERABLE" || echo "NOT VULNERABLE" > > echo "Testing Exploit 3 (CVE-2014-6277)" > CVE6277="$(env -i X=' () { }; echo -n V' bash -c :)" > [ "${CVE6277}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE" > > echo "Testing Exploit 4 (CVE-2014-7186)" > CVE7186="$(bash -c 'true </dev/null ||echo -n V)" > [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE" > > echo "Testing Exploit 5 (CVE-2014-7187)" > CVE7187="$((for x in {1..200}; do echo "for x$x in ; do :"; done; for x in {1..200}; do echo done; done) |bash 2>/dev/null ||echo -n V)" > [ "${CVE7187}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE” > > Good luck ;-) Yes, it passes all tests (the patch attached). Jung-uk Kim --------------040100080403030600080603 Content-Type: text/plain; charset=UTF-8; name="patch-parse.y" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="patch-parse.y" --- parse.y.orig 2014-09-30 12:58:08.462512373 -0400 +++ parse.y 2014-09-30 12:58:08.629018000 -0400 @@ -265,9 +265,21 @@ /* Variables to manage the task of reading here documents, because we need to defer the reading until after a complete command has been collected. */ -static REDIRECT *redir_stack[10]; +static REDIRECT **redir_stack; int need_here_doc; +/* Pushes REDIR onto redir_stack, resizing it as needed. */ +static void +push_redir_stack (REDIRECT *redir) +{ + /* Guard against oveflow. */ + if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack)) + abort (); + redir_stack = xrealloc (redir_stack, + (need_here_doc + 1) * sizeof (*redir_stack)); + redir_stack[need_here_doc++] = redir; +} + /* Where shell input comes from. History expansion is performed on each line when the shell is interactive. */ static char *shell_input_line = (char *)NULL; @@ -520,42 +532,42 @@ source.dest = 0; redir.filename = $2; $$ = make_redirection (source, r_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | NUMBER LESS_LESS WORD { source.dest = $1; redir.filename = $3; $$ = make_redirection (source, r_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | REDIR_WORD LESS_LESS WORD { source.filename = $1; redir.filename = $3; $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | LESS_LESS_MINUS WORD { source.dest = 0; redir.filename = $2; $$ = make_redirection (source, r_deblank_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | NUMBER LESS_LESS_MINUS WORD { source.dest = $1; redir.filename = $3; $$ = make_redirection (source, r_deblank_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | REDIR_WORD LESS_LESS_MINUS WORD { source.filename = $1; redir.filename = $3; $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | LESS_LESS_LESS WORD { @@ -4905,7 +4917,7 @@ case CASE: case SELECT: case FOR: - if (word_top < MAX_CASE_NEST) + if (word_top + 1 < MAX_CASE_NEST) word_top++; word_lineno[word_top] = line_number; break; --------------040100080403030600080603--