Date: Tue, 30 Sep 2014 14:46:05 -0500 From: Bryan Drewery <bdrewery@FreeBSD.org> To: Jung-uk Kim <jkim@FreeBSD.org>, Mike Tancsa <mike@sentex.net> Cc: freebsd-security <freebsd-security@freebsd.org>, freebsd-ports <freebsd-ports@freebsd.org> Subject: Re: bash velnerability Message-ID: <542B087D.3040903@FreeBSD.org> In-Reply-To: <542AFC54.9010405@FreeBSD.org> References: <CAHFU5H5WOnAXuFmfQEGkTvwoECATTCC3eKYE3yts%2BBqh1M_8ww@mail.gmail.com> <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <CAHcXP%2Bdx2etYgQPNiAxk2P68Z-4j%2BbTvdMoHfz%2BxKsBDKh9Z9g@mail.gmail.com> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On 9/30/2014 1:54 PM, Jung-uk Kim wrote: > On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote: >> On 9/29/2014 11:01 AM, Mike Tancsa wrote: >>> On 9/26/2014 5:01 PM, Bryan Drewery wrote: >>>> On 9/26/2014 12:41 PM, Bryan Drewery wrote: >>>>> On 9/26/2014 11:51 AM, Bryan Drewery wrote: >>>>>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >>>>>>> Apparently, the full fix is still not delivered, accordingly to this: >>>>>>> http://seclists.org/oss-sec/2014/q3/741 >>>>>>> >>>>>>> Kind regards, >>>>>>> Bartek Rutkowski >>>>>>> >>>>>> >>>>>> I'm pretty sure they call that a "feature". This is a bit different. >>>> >>>> I've disabled environment function importing in the port. Using >>>> --import-functions will allow it to work if you need it. >>> >>> Hi Bryan, >>> With the latest ports, bashcheck still sees some issues with bash. >>> Are these false positives on FreeBSD ? >>> >>> Using >>> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >>> >>> Not vulnerable to CVE-2014-6271 (original shellshock) >>> Not vulnerable to CVE-2014-7169 (taviso bug) >>> ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash >>> -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null >>> Vulnerable to CVE-2014-7186 (redir_stack bug) >>> Test for CVE-2014-7187 not reliable without address sanitizer >>> Variable function parser inactive, likely safe from unknown parser bugs >>> >>> ---Mike >> >> Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187. > > Applying the first patch for parse.y from the following post passed the > tests for me. > > http://www.openwall.com/lists/oss-security/2014/09/25/32 > > In fact, all major Linux distros seem to use it now. > > FYI, > > Jung-uk Kim I was holding off on this one as it had not proven to be remotely exploitable from what I saw. I was also wanting to see what upstream did before throwing more intrusive patches at our port. I even saw a reddit post last night complaining that OSX had updated bash only to leave it "still vulnerable" because of the redir_stack issue. I will apply the redir_stack patch since it's becoming an FAQ. -- Regards, Bryan Drewery [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQEcBAEBAgAGBQJUKwh+AAoJEDXXcbtuRpfPj2oH/3BLQYSuHDovrK2WmZF73dUs lXL0TY8JI/K19NJDDtHZbdSnJnNOVgp1CjTLKib6T/JQ9jQ8/aTIiCJxgPDMIMVi 4OTDlohszIgsSK5xOkBdLUllVwFaLpSIGJTLfUW7aOkT8Fk6/Bshg9zeE9Qw+n0O Wu0hgQcjtJWKB9/bel8vROsN9CrfbPtscD119U0E2/GNgyiy/FogW3heRJR440xv h4ttubqPyBHstR6AhvVau7ReLxZ2fnQefIdVyB5/QYKXSSVRiOBxpNeRrfX51EZd 367uoP4Wvf3C2MJt/8eDq6wUrgZfK/WDqKv6hMGPuYl1N5I07Jm1WjWvRbSgYko= =RqWM -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?542B087D.3040903>