Date: Mon, 29 Sep 2014 12:01:42 -0400 From: Mike Tancsa <mike@sentex.net> To: Bryan Drewery <bdrewery@freebsd.org> Cc: freebsd-security <freebsd-security@freebsd.org>, freebsd-ports <freebsd-ports@freebsd.org> Subject: Re: bash velnerability Message-ID: <54298266.1090201@sentex.net> In-Reply-To: <5425D427.8090309@FreeBSD.org> References: <CAHFU5H5WOnAXuFmfQEGkTvwoECATTCC3eKYE3yts%2BBqh1M_8ww@mail.gmail.com> <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <CAHcXP%2Bdx2etYgQPNiAxk2P68Z-4j%2BbTvdMoHfz%2BxKsBDKh9Z9g@mail.gmail.com> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/26/2014 5:01 PM, Bryan Drewery wrote: > On 9/26/2014 12:41 PM, Bryan Drewery wrote: >> On 9/26/2014 11:51 AM, Bryan Drewery wrote: >>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >>>> Apparently, the full fix is still not delivered, accordingly to this: >>>> http://seclists.org/oss-sec/2014/q3/741 >>>> >>>> Kind regards, >>>> Bartek Rutkowski >>>> >>> >>> I'm pretty sure they call that a "feature". This is a bit different. > > I've disabled environment function importing in the port. Using > --import-functions will allow it to work if you need it. Hi Bryan, With the latest ports, bashcheck still sees some issues with bash. Are these false positives on FreeBSD ? Using https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser inactive, likely safe from unknown parser bugs ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54298266.1090201>