Bug 10631

Summary: Recent Bash vulnerability found
Product: IPFire Reporter: phane7
Component: ---Assignee: Michael Tremer <michael.tremer>
Status: CLOSED FIXED QA Contact:
Severity: Crash    
Priority: Will affect all users CC: ipfirebug, j0boyers, michael.tremer
Version: 2   
Hardware: i686   
OS: Linux   

Description phane7 2014-09-25 03:26:32 UTC
http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

I've confirmed that the version of BASH included with 2.15 CU 82 has a vulnerable version of BASH.  There are patches available for it.
Comment 1 j0boyers 2014-09-25 05:37:24 UTC
I can confirm this as well.  It appears that 2.15 CU82 is running Bash 3.2.51(1).

[root@ipfire bin]# bash --version
GNU bash, version 3.2.51(1)-release (i586-pc-linux-gnu)
Copyright (C) 2007 Free Software Foundation, Inc.

Running a vulnerability test yields the following:

[root@ipfire bin]# env X="() { :;} ; echo vulnerable" /bin/sh -c "echo testing"
vulnerable
testing

This is fixed in Bash 3.2.52.  Note that the Bash version listed at https://pakfire.ipfire.org/package/bash for IPFire 3 - 4.2.11 - is also vulnerable.  This should be patched to 4.2.42.
Comment 2 j0boyers 2014-09-25 05:38:44 UTC
(In reply to comment #1)
> I can confirm this as well.  It appears that 2.15 CU82 is running Bash
> 3.2.51(1).
> 
> [root@ipfire bin]# bash --version
> GNU bash, version 3.2.51(1)-release (i586-pc-linux-gnu)
> Copyright (C) 2007 Free Software Foundation, Inc.
> 
> Running a vulnerability test yields the following:
> 
> [root@ipfire bin]# env X="() { :;} ; echo vulnerable" /bin/sh -c "echo
> testing"
> vulnerable
> testing
> 
> This is fixed in Bash 3.2.52.  Note that the Bash version listed at
> https://pakfire.ipfire.org/package/bash for IPFire 3 - 4.2.11 - is also
> vulnerable.  This should be patched to 4.2.42.

Sorry on that last bit - should be patched to 4.2.48, not 4.2.42.
Comment 3 j0boyers 2014-09-25 05:42:57 UTC
The patch for 3.2 can be found at http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-052.  The patch for 4.2 can be found at http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-048.  Wish I knew how to build patches for IPFire.
Comment 4 Michael Tremer 2014-09-25 13:52:40 UTC
The patch has already been applied yesterday:

http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=6cda6f906eafb269ea7362343b8af609b3d9ce41

Unfortunately, it does not fix the issue completely and we are waiting for an other fix being developed.
Comment 5 Michael Tremer 2014-09-25 21:59:25 UTC
A second patch has been added which will fix CVE-2014-7169:

http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=e86c70a99f024c5d2973d25577ca2e657ce659db

Core Update 83 will be available in the testing repository as soon as possible.
Comment 7 Pakfire Build Service 2014-09-27 12:55:13 UTC
bash-4.3-11.ip3 has been pushed to the IPFire 3 testing repository.

You can provide feedback for this build here:
  https://pakfire.ipfire.org/build/800d0983-2ff6-4f59-88ce-62d97ba3aafa
Comment 8 Pakfire Build Service 2014-09-27 13:36:48 UTC
bash-4.3-11.ip3 has been pushed to the IPFire 3 unstable repository.

You can provide feedback for this build here:
  https://pakfire.ipfire.org/build/800d0983-2ff6-4f59-88ce-62d97ba3aafa
Comment 9 klausbrause 2014-09-28 11:55:57 UTC
weitere Lücken in bash

CVE-2014-7186 (redir_stack bug)
CVE-2014-7187
CVE-2014-6277 (lcamtuf bug)

http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#CVE-2014-6271
http://forum.ipfire.org/index.php?topic=11569.msg74966;topicseen#msg74966
Comment 10 Pakfire Build Service 2014-09-28 20:23:28 UTC
bash-4.3-11.ip3 has been pushed to the IPFire 3 stable repository.

If problems still persist, please make note of it in this bug report.
Comment 11 Michael Tremer 2014-09-28 22:02:29 UTC
(In reply to comment #9)
> weitere Lücken in bash
> 
> CVE-2014-7186 (redir_stack bug)
> CVE-2014-7187
> CVE-2014-6277 (lcamtuf bug)
> 
> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#CVE-2014-6271
> http://forum.ipfire.org/index.php?topic=11569.msg74966;topicseen#msg74966

Could you please open a new bug report to track the new vulnerabilities as this one should be closed as fixes for CVE-2014-6271 and CVE-2014-7169 have now been shipped.
Comment 12 klausbrause 2014-09-30 22:41:14 UTC
*** Bug 10638 has been marked as a duplicate of this bug. ***