| Summary: | Recent Bash vulnerability found | ||
|---|---|---|---|
| Product: | IPFire | Reporter: | phane7 |
| Component: | --- | Assignee: | Michael Tremer <michael.tremer> |
| Status: | CLOSED FIXED | QA Contact: | |
| Severity: | Crash | ||
| Priority: | Will affect all users | CC: | ipfirebug, j0boyers, michael.tremer |
| Version: | 2 | ||
| Hardware: | i686 | ||
| OS: | Linux | ||
|
Description
phane7
2014-09-25 03:26:32 UTC
I can confirm this as well. It appears that 2.15 CU82 is running Bash 3.2.51(1).
[root@ipfire bin]# bash --version
GNU bash, version 3.2.51(1)-release (i586-pc-linux-gnu)
Copyright (C) 2007 Free Software Foundation, Inc.
Running a vulnerability test yields the following:
[root@ipfire bin]# env X="() { :;} ; echo vulnerable" /bin/sh -c "echo testing"
vulnerable
testing
This is fixed in Bash 3.2.52. Note that the Bash version listed at https://pakfire.ipfire.org/package/bash for IPFire 3 - 4.2.11 - is also vulnerable. This should be patched to 4.2.42.
(In reply to comment #1) > I can confirm this as well. It appears that 2.15 CU82 is running Bash > 3.2.51(1). > > [root@ipfire bin]# bash --version > GNU bash, version 3.2.51(1)-release (i586-pc-linux-gnu) > Copyright (C) 2007 Free Software Foundation, Inc. > > Running a vulnerability test yields the following: > > [root@ipfire bin]# env X="() { :;} ; echo vulnerable" /bin/sh -c "echo > testing" > vulnerable > testing > > This is fixed in Bash 3.2.52. Note that the Bash version listed at > https://pakfire.ipfire.org/package/bash for IPFire 3 - 4.2.11 - is also > vulnerable. This should be patched to 4.2.42. Sorry on that last bit - should be patched to 4.2.48, not 4.2.42. The patch for 3.2 can be found at http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-052. The patch for 4.2 can be found at http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-048. Wish I knew how to build patches for IPFire. The patch has already been applied yesterday: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=6cda6f906eafb269ea7362343b8af609b3d9ce41 Unfortunately, it does not fix the issue completely and we are waiting for an other fix being developed. A second patch has been added which will fix CVE-2014-7169: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=e86c70a99f024c5d2973d25577ca2e657ce659db Core Update 83 will be available in the testing repository as soon as possible. bash-4.3-11.ip3 has been pushed to the IPFire 3 testing repository. You can provide feedback for this build here: https://pakfire.ipfire.org/build/800d0983-2ff6-4f59-88ce-62d97ba3aafa bash-4.3-11.ip3 has been pushed to the IPFire 3 unstable repository. You can provide feedback for this build here: https://pakfire.ipfire.org/build/800d0983-2ff6-4f59-88ce-62d97ba3aafa weitere Lücken in bash CVE-2014-7186 (redir_stack bug) CVE-2014-7187 CVE-2014-6277 (lcamtuf bug) http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#CVE-2014-6271 http://forum.ipfire.org/index.php?topic=11569.msg74966;topicseen#msg74966 bash-4.3-11.ip3 has been pushed to the IPFire 3 stable repository. If problems still persist, please make note of it in this bug report. (In reply to comment #9) > weitere Lücken in bash > > CVE-2014-7186 (redir_stack bug) > CVE-2014-7187 > CVE-2014-6277 (lcamtuf bug) > > http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#CVE-2014-6271 > http://forum.ipfire.org/index.php?topic=11569.msg74966;topicseen#msg74966 Could you please open a new bug report to track the new vulnerabilities as this one should be closed as fixes for CVE-2014-6271 and CVE-2014-7169 have now been shipped. *** Bug 10638 has been marked as a duplicate of this bug. *** In the mean time, bash has been updated to version 4.3 on IPFire and all upstream patches have been pulled in: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=ce84ace5bf3b2de70fd437e61ef369e5afd82101 http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=3347f993b67f13aa6776d66ee1819c9558ca202a http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=801dcd70b0ec02566c704ff4f450cc90f6283f60 |