bash incomplete fix for CVE-2014-6271

http://seclists.org/oss-sec/2014/q3/685
CVE-2014-7169 is assigned for the failed patch

Proposed patch for CVE-2014-7169 here:

http://www.openwall.com/lists/oss-security/2014/09/25/10

I am building bash updates for Ubuntu containing the proposed fix here and will publish them once the fix has been made official:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Status changed to 'Confirmed' because the bug affects multiple users.

Marc, I've just upgraded to 4.3.7-ubuntu1.2 in trusty (https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.2) which I assume was supposed to protect against the test case provided for CVE-2014-7169. It doesn't appear to have done so. Confirmed that the upgrade was successfully applied.

harry@mars:~ aptitude show bash | egrep '^Version'
Version: 4.3-7ubuntu1.2

harry@mars:~$ md5sum /bin/bash Downloads/bash_4.3-7ubuntu1.2_amd64/bin/bash
3c263963be49239e113a5794d54b732a /bin/bash
3c263963be49239e113a5794d54b732a Downloads/bash_4.3-7ubuntu1.2_amd64/bin/bash

harry@mars:~$ cat echo
cat: echo: No such file or directory

harry@mars:~$ env -i X='() { (a)=>\' bash -c 'echo date'
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'

harry@mars:~$ cat echo
Fri Sep 26 00:38:09 BST 2014

Re the above: the patch was *not* correctly applied in trusty package bash_4.3-7ubuntu1.2.

lucid package bash_4.3-7ubuntu1.2 appears to have been upgraded fine, and handles the test case correctly.

harry@mars:~$ md5sum Downloads/bash_4.3-7ubuntu1.1_amd64/bin/bash Downloads/bash_4.3-7ubuntu1.2_amd64/bin/bash
3c263963be49239e113a5794d54b732a Downloads/bash_4.3-7ubuntu1.1_amd64/bin/bash
3c263963be49239e113a5794d54b732a Downloads/bash_4.3-7ubuntu1.2_amd64/bin/bash

harry@mars:~$ md5sum Downloads/bash_4.2-2ubuntu2.2_amd64/bin/bash Downloads/bash_4.2-2ubuntu2.3_amd64/bin/bash
d63ff62f142e76205e89e4a4de553fec Downloads/bash_4.2-2ubuntu2.2_amd64/bin/bash
5ee533c7cd3a8246b4a3d7a29ffbe0b2 Downloads/bash_4.2-2ubuntu2.3_amd64/bin/bash

harry@mars:~$ env -i PATH="Downloads/bash_4.2-2ubuntu2.3_amd64/bin:$PATH" X='() { (a)=>\' bash -c 'echo date'; cat echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
date
cat: echo: No such file or directory

For completeness, I've opened Bug #1374207 on the issue with trusty. Good news is that lucid and precise seem OK.

There was a build issue with the Ubuntu 14.04 package, and I am in the process of fixing it now. An update will be released within the hour.

The other releases should be ok.

Hi,

Red Hat released new packages at https://rhn.redhat.com/errata/RHSA-2014-1306.html, that include fix for CVE-2014-7169, and they fixed with another way, and another problems (OOB memory access).

We can investigate from RH SRPM, http://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/bash-4.1.2-15.el6_5.2.src.rpm

IMHO, Red Hat fix included 3 patches.
 - bash-4.2-cve-2014-7169-0.patch : parser bug fix-A for CVE-2014-7169 (same as http://seclists.org/oss-sec/2014/q3/685 )
 - bash-4.2-cve-2014-7169-1.patch : introduce variable isolation in function import situation. another fix for CVE-2014-7169. this is new patch.
 - bash-4.2-cve-2014-7169-2.patch : OOB memory access(new problem) fix.

They probosed these new patches at http://www.openwall.com/lists/oss-security/2014/09/25/32 .

I make a proposition about that, could we apply these new patches? or they are not important?

Fixed in the new Ubuntu 14.04 package https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.3

Fumihito YOSHIDA (hito),

We are awaiting comments from the upstream bash developer about the OOB memory fixes, and the variable isolation hardening. We will address those in a later bash update.

This bug was fixed in the package bash - 4.3-9ubuntu3

---------------
bash (4.3-9ubuntu3) utopic; urgency=medium

  * SECURITY UPDATE: incomplete fix for CVE-2014-6271 (LP: #1373781)
    - debian/patches/CVE-2014-7169.diff: fix logic in parse.y and y.tab.c.
    - CVE-2014-7169
 -- Marc Deslauriers <email address hidden> Thu, 25 Sep 2014 21:43:10 -0400

Utopic feedback

oem@u32:~$ aptitude show bash | egrep '^Version'
Version: 4.3-9ubuntu3
oem@u32:~$ env x='() { :;}; echo hackable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
oem@u32:~$ env -i X='() { (a)=>\' bash -c 'echo date'
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
date

Seems still having problem

@dino99: both your test cases look good to me. What results were you expecting?

@Marc

its only a feedback, and i only see that warning.
if you think its ok, i'm ok too (no skill on my side for commenting)

as i've reported an other bug about that 'warning' thing, i'm closing it too.

Thanks for the answer

Some additional feedback from 14.04 (using latest 4.3-7ubuntu1.3):

spyros@prod01:~# env -i X='() { (a)=>\' bash -c 'echo date'
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
date

spyros@prod01:~# env X='() { (a)=>\' bash -c "echo date"; cat echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
Fri Sep 26 12:13:33 PDT 2014

I apologize if this is a stupid question, but why is it that the second case still works?
Doesn't this mean that the system is still vulnerable to CVE-2014-7169?

do you perhaps have a left-over file called 'echo' in that directory?

If so, you need to delete it before running the test.

On 09/26/2014 03:49 PM, Spyros wrote:
> spyros@prod01:~# env X='() { (a)=>\' bash -c "echo date"; cat echo
> bash: X: line 1: syntax error near unexpected token `='
> bash: X: line 1: `'
> bash: error importing function definition for `X'
> Fri Sep 26 12:13:33 PDT 2014
>
> I apologize if this is a stupid question, but why is it that the second case still works?
> Doesn't this mean that the system is still vulnerable to CVE-2014-7169?

Maybe you had a leftover file named "echo" in root's home? If yes,
remove it and retest.

Thank you for the reply Marc & Simon.
Unfortunately this isn't due to a leftover file.

spyros@prod01:~# env X='() { (a)=>\' bash -c "echo date"; cat echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
Fri Sep 26 12:14:15 PDT 2014
spyros@prod01:~# rm echo
spyros@prod01:~# env X='() { (a)=>\' bash -c "echo date"; cat echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
Fri Sep 26 12:15:24 PDT 2014

The only difference between the "working" and "non-working" version that I spot, is the -i argument to env, but I'm not sure why/how the empty environment would affect this.

Since the last update:
ii bash 4.3-7ubuntu1.4 amd64 GNU Bourne Again SHell

the following happen:
lars@dachs:/tmp$ rm -f echo && env -i X='() { (a)=>\' bash -c 'echo id'; cat echo
id
cat: echo: No such file or directory
lars@dachs:/tmp$

Maybe this helps others to verify:
https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck

lars@dachs:~$ ./bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs