Date: Fri, 26 Sep 2014 11:51:38 -0500 From: Bryan Drewery <bdrewery@FreeBSD.org> To: Bartek Rutkowski <robak@freebsd.org> Cc: freebsd-security <freebsd-security@freebsd.org>, freebsd-ports <freebsd-ports@freebsd.org> Subject: Re: bash velnerability Message-ID: <5425999A.3070405@FreeBSD.org> In-Reply-To: <CAHcXP%2Bdx2etYgQPNiAxk2P68Z-4j%2BbTvdMoHfz%2BxKsBDKh9Z9g@mail.gmail.com> References: <CAHFU5H5WOnAXuFmfQEGkTvwoECATTCC3eKYE3yts%2BBqh1M_8ww@mail.gmail.com> <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <CAHcXP%2Bdx2etYgQPNiAxk2P68Z-4j%2BbTvdMoHfz%2BxKsBDKh9Z9g@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: > On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery <bdrewery@freebsd.org> wrote: >> On 9/26/2014 2:36 AM, Steve Clement wrote: >>> Dear all, >>> >>> In case you urgently need to go the manual route, here is one way to really patch your systems: >>> >>> https://www.circl.lu/pub/tr-27/ >>> >>> Until the patch is in the bash upstream… (which it might be by now) >>> >>> Take care, >>> >> >> The port has had the fixes since yesterday. The packages are building. >> >> -- >> Regards, >> Bryan Drewery >> > > Apparently, the full fix is still not delivered, accordingly to this: > http://seclists.org/oss-sec/2014/q3/741 > > Kind regards, > Bartek Rutkowski > I'm pretty sure they call that a "feature". This is a bit different. This is modifying the command used to call a function as the feature intends. The vulnerability was that just parsing the environment would execute the code. TL;DR; You should cleanse your environment and only accept valid input to work around this feature. The bash developer (Chet) said he would not remove it by default, at least a few days ago. -- Regards, Bryan Drewery [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQEcBAEBAgAGBQJUJZmaAAoJEDXXcbtuRpfPQUEIANGtu3zTUyewl5OETRpraWdD c7WlFWEFH4/KZ6f5BtuD6ozE4RIiTEJRnoKSczOJo11ZBVajD9cjRXO46ujpCqth ZRAtUXsTak8RwuDOdTwV4EUhUdCwGgXBNBfPAiVwmNYShMyREsmnSsHaIiE6+9XU 4r/ZIEymp8aDY8nTvVhpWvfm/qs1Y80YIepqto+HR1PJAXinR10Bxek2JOJtQOFW LCJObtSC4KntsNl5m/zJ7AyaNRysvUSTvukH/PnO9ArH4e4/ehlTyjh0DnjGcxtW jUuYEbbO9D/QWxNseM1rLKCHcgVcH0U/+lRlqJiFUSgSQIKbNS/Ru4W91NGmFR0= =MHTp -----END PGP SIGNATURE-----help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5425999A.3070405>