[MacPorts] #45162: Bash still vulnerable
#45162: Bash still vulnerable -----------------------+-------------------------------- Reporter: kost.hc@… | Owner: macports-tickets@… Type: defect | Status: new Priority: High | Milestone: Component: ports | Version: 2.3.1 Keywords: | Port: bash -----------------------+-------------------------------- Bash is still vulnerable to the shellshock bash: {{{ $ sudo port selfupdate Password: ---> Updating MacPorts base sources using rsync MacPorts base version 2.3.1 installed, MacPorts base version 2.3.1 downloaded. ---> Updating the ports tree ---> MacPorts base is already the latest version The ports tree has been updated. To upgrade your installed ports, you should run port upgrade outdated }}} {{{ $ sudo port install bash ---> Computing dependencies for bash ---> Cleaning bash ---> Scanning binaries for linking errors ---> No broken files found. }}} {{{ $ bash --version GNU bash, version 4.3.25(1)-release (x86_64-apple-darwin13.2.0) Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. }}} It is not vulnerable to this: {{{ $ env X="() { :;} ; echo busted" /bin/sh -c "echo stuff" /bin/sh: warning: X: ignoring function definition attempt /bin/sh: error importing function definition for `X' stuff }}} But still vulnerable to this: {{{ $ env X='() { (a)=>\' sh -c "echo date"; cat echo sh: X: line 1: syntax error near unexpected token `=' sh: X: line 1: `' sh: error importing function definition for `X' Fri Sep 26 00:48:31 CEST 2014 }}} If you need more info, check this URL: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html -- Ticket URL: <https://trac.macports.org/ticket/45162> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: Bash still vulnerable ------------------------+-------------------------------- Reporter: kost.hc@… | Owner: macports-tickets@… Type: defect | Status: new Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+-------------------------------- Comment (by kost.hc@…): Ticket you already have: https://trac.macports.org/ticket/45150 Fixes introduced in ticket 45150 fixes CVE-2014-6271, but bash is still vulnerable to second test (CVE-2014-7169): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:1> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: Bash still vulnerable ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: new Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Changes (by mf2k@…): * owner: macports-tickets@… => raimue@… Comment: In the future, please Cc the port maintainers ({{{port info --maintainers bash}}}) so that this can actually get fixed. -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:2> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: Bash still vulnerable ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: new Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Comment (by mf2k@…): For reference the actual test is: {{{ $ rm -f echo $ env X='() { (a)=>\' sh -c "echo date"; cat echo sh: X: line 1: syntax error near unexpected token `=' sh: X: line 1: `' sh: error importing function definition for `X' Fri Sep 26 11:29:03 MDT 2014 }}} The fact that the date prints out is the bug. In a properly patched system, here is the output: {{{ $ rm -f echo $ env X='() { (a)=>\' sh -c "echo date"; cat echo date cat: echo: No such file or directory }}} -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:3> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Changes (by raimue@…): * status: new => assigned Comment: Duplicate of -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:4> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Changes (by cal@…): * cc: cal@… (added) Comment: It seems Debian pushed two new versions of bash with security fixes: - 4.2+dfsg-0.1+deb7u2 with a fix for CVE-2014-7169, see https://tracker.debian.org/news/573425 - 4.2+dfsg-0.1+deb7u3 fixing an out-of-bound array access in the bash parser and a patch that moves all exported function definitions into a separate "namespace". The patches in question are: - http://sources.debian.net/src/bash/4.3-9.2/debian/patches/CVE-2014-7169.diff... (CVE-2014-7169) - http://sources.debian.net/src/bash/4.3-9.2/debian/patches/parser- oob.patch/ (out-of-bounds access in parser) - http://sources.debian.net/src/bash/4.3-9.2/debian/patches/variables- affix.patch/ (namespaced function exports) I'll test those in a second and attach a patch. -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:6> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Comment (by sierkb@…): Fix for CVE-2014-7169 is official and published by GNU Project: [http://ftp.gnu.org/gnu/bash/], patch 26 for Bash 4.3 [http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026], see also [http://seclists.org/oss-sec/2014/q3/734]. Please update MacPorts' bash accordingly from 4.3.25 to this new patch level 4.3.26 as soon as possible. -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:7> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Comment (by cal@…): The official fix in patchlevel 26 is the same as in Debian's `CVE-2014-7169.diff`. I've attached a patch that updates the port and also ports Debian's patches. I'll leave it up to you to decide whether you also want Debian's patches or just upstream's fix. I've verified that function exports work after this patch. When they get exported into environment variables, they are prefixed with `BASH_FUNC_` and suffixed with `()`. -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:8> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Comment (by sierkb@…): Replying to [comment:8 cal@…]:
The official fix in patchlevel 26 is the same as in Debian's `CVE-2014-7169.diff`. I've attached a patch that updates the port and also ports Debian's patches. I'll leave it up to you to decide whether you also want Debian's patches or just upstream's fix.
More details: Debian's additional so far non-official patches seem to be these here: [https://lists.debian.org/debian-devel-changes/2014/09/msg03214.html], brought onto the table by Red Hat (Florian Weimer, Huzaifa Sidhpurwala) as so far non-upstream patches (not yet officially completely verified and assimilated upstream by the GNU Bash project) and discussed here: //seclists.org (oss-sec): Fwd: Non-upstream patches for bash// [http://seclists.org/oss-sec/2014/q3/712]. Additional to the official patch against CVE-2014-7169, they add so-far-non-upsteam fixes against CVE-2014-7186 [https://access.redhat.com/security/cve/CVE-2014-7186] and CVE-2014-7187 [https://access.redhat.com/security/cve/CVE-2014-7187]. If these additional so-far-non-upstream-patches maybe will be followed by a further official upstream patch by the GNU project (the chance is not zero, that this might happen), is out of my knowledge at this time of writing. I back the statement in comment:8, it's up to you, as the maintainer of this port, wether you want to be conservative and be on par with the current upstream status or anticipate its status by going a (yet unofficial) step ahead. -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:9> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Changes (by larryv@…): * cc: hahn.seb@… (added) Comment: Has duplicate #45173. -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:10> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Comment (by brian.reiter@…): The NetBSD and FreeBSD solution is an excellent mitigation. It removes the whole misfeature of passing function definitions to child shells by default. https://svnweb.freebsd.org/ports?view=revision&revision=369341 -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:11> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Comment (by cal@…): Replying to [comment:11 brian.reiter@…]:
The NetBSD and FreeBSD solution is an excellent mitigation. It removes the whole misfeature of passing function definitions to child shells by default.
That may be your opinion, but doing this breaks people's scripts, and is not something I'd be willing to do, unless bash upstream is also going to. I think the Debian patch reduces the attack surface for future bugs in function importing from the environment to situations where attackers control the variable name, which mitigates the remote code execution problems. -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:12> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Comment (by raimue@…): I committed an update to bash @4.3.26 in r125830. I think at this point it also makes sense to also take the other patches from Debian, especially for the new issues CVE-2014-7186 and CVE-2014-7187. Clemens (cal@), what is the source of the patches you posted? I would like to add a proper "Upstream: <URL>" or "Origin: <URL>" attribution in the patch files so we can reconstruct where they came from originally. -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:13> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Comment (by cal@…): I got them from the Debian URLs posted above. Not sure where they got them from. -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:14> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Comment (by hahn.seb@…): In the meantime, there's an official 4.3.27 out. I assume attaching a patch would make it more work for you compared than just making it yourself ;) -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:16> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Comment (by raimue@…): Update to bash @4.3.27 committed in r125869. -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:17> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Comment (by cal@…): Patchlevel 27 contains the namespaced function exports, but as far as I can see the parser OOB accesses are still unfixed. AFAIK meanwhile CVE numbers have been assigned for those, too. -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:18> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Comment (by sierkb@…): Just for the record:[[BR]] Ticket #45234: Checksum (sha1) mismatch for bash43-028 -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:20> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Comment (by sierkb@…): Please update to bash @4.3.29 (Patchlevel 29, published 10/03/2014 upstream at [ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/]). -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:21> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Comment (by sierkb@…): FYI: [https://lists.gnu.org/archive/html/bug-bash/2014-10/msg00031.html] and [http://lcamtuf.blogspot.de/2014/10/bash-bug-how-we-finally- cracked.html] -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:22> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Comment (by sierkb@…): Please update to bash @4.3.30, Patchlevel 30, published 10/05/2014 upstream at[[BR]] [ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/],[[BR]] [http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-030],[[BR]] [https://lists.gnu.org/archive/html/bug-bash/2014-10/msg00040.html],[[BR]] [http://git.savannah.gnu.org/cgit/bash.git/commit/?id=ca6a2ba40c709c2b45a56e4...] -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:23> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Comment (by raimue@…): bash @4.3.30 committed in r126243. -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:24> MacPorts <http://www.macports.org/> Ports system for OS X
#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: closed Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: fixed | Keywords: Port: bash | ------------------------+---------------------- Changes (by raimue@…): * status: assigned => closed * resolution: => fixed Comment: With all the patches in place, I consider this particular issue as fixed. If new security vulnerabilities arise, please open a new ticket. -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:25> MacPorts <http://www.macports.org/> Ports system for OS X
participants (1)
-
MacPorts