[opensuse] Security: bash: still vulnerable ( CVE-2014-6277 )

newer
[opensuse] PCH transcoder A FIFO...

MarkusGMX

8 Oct 2014 8 Oct '14

18:23

Hello, I just updated my SuSE 13.1 system, bash to GNU bash, version 4.2.47(1)-release (x86_64-suse-linux-gnu) which is bash-4.2-68.8.1.x86_64.rpm But according to https://shellshocker.net/ I am still vulnerable to Exploit 7 (CVE-2014-6277) :

...

bash -c "f() { x() { _;}; x() { _;} </dev/null || echo vulnerable Segmentation fault vulnerable

I read "Note from the SUSE Security Team This issue is already mitigated by the function hardening patch introduced in the update for CVE-2014-7169. Novell Bugzilla entries: 898664, 898762, 898812, 898884 " [ http://support.novell.com/security/cve/CVE-2014-6277.html ] which does not seem to be the correct. Any ideas when this will be fixed? BR ME -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Show replies by date

Roger Luedecke

8 Oct 8 Oct

19:38

On Wed, 2014-10-08 at 20:23 +0200, MarkusGMX wrote:

...

Hello,

I just updated my SuSE 13.1 system, bash to GNU bash, version 4.2.47(1)-release (x86_64-suse-linux-gnu) which is bash-4.2-68.8.1.x86_64.rpm

But according to https://shellshocker.net/ I am still vulnerable to Exploit 7 (CVE-2014-6277) :

...
bash -c "f() { x() { _;}; x() { _;} </dev/null || echo vulnerable Segmentation fault vulnerable

I read "Note from the SUSE Security Team This issue is already mitigated by the function hardening patch introduced in the update for CVE-2014-7169.

Novell Bugzilla entries: 898664, 898762, 898812, 898884 " [ http://support.novell.com/security/cve/CVE-2014-6277.html ]

which does not seem to be the correct.

Any ideas when this will be fixed?

BR ME It's not actually vulnerable to attack, it's simply crashing. If I recall there is already a patch in the pipes coming soon.

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

John Andersen

20:00

On 10/08/2014 11:23 AM, MarkusGMX wrote:

...

...
bash -c "f() { x() { _;}; x() { _;} </dev/null || echo vulnerable Segmentation fault vulnerable

Since it core dumps, it returns to the prior process, and It doesn't appear to gain access to anything that could be exploited (other than creating a not very big core). -- Explain again the part about rm -rf / -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Marcus Meissner

10 Oct 10 Oct

06:10

On Wed, Oct 08, 2014 at 08:23:42PM +0200, MarkusGMX wrote:

...

Hello,

I just updated my SuSE 13.1 system, bash to GNU bash, version 4.2.47(1)-release (x86_64-suse-linux-gnu) which is bash-4.2-68.8.1.x86_64.rpm

But according to https://shellshocker.net/ I am still vulnerable to Exploit 7 (CVE-2014-6277) :

...
bash -c "f() { x() { _;}; x() { _;} </dev/null || echo vulnerable Segmentation fault vulnerable

I read "Note from the SUSE Security Team This issue is already mitigated by the function hardening patch introduced in the update for CVE-2014-7169.

Novell Bugzilla entries: 898664, 898762, 898812, 898884 " [ http://support.novell.com/security/cve/CVE-2014-6277.html ]

which does not seem to be the correct.

Any ideas when this will be fixed?

I fixed the script on shellshocker.net. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

jdebert

12 Oct 12 Oct

16:06

Well, this is interesting. Last week: jdebert@demonstrabo:~> bash -c "f() { x() { _;}; x() { _;} </dev/null || echo vulnerable jdebert@demonstrabo:~> Today: jdebert@demonstrabo:~> bash -c "f() { x() { _;}; x() { _;} </dev/null || echo vulnerable Segmentation fault vulnerable jdebert@demonstrabo:~> jdebert@demonstrabo:~> rpm -q bash bash-4.2-61.15.1.i586 jd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Ruben Safir

18:26

On Sun, Oct 12, 2014 at 09:06:59AM -0700, jdebert wrote:

...

Well, this is interesting.

Last week:

jdebert@demonstrabo:~> bash -c "f() { x() { _;}; x() { _;} </dev/null || echo vulnerable jdebert@demonstrabo:~>

Today:

jdebert@demonstrabo:~> bash -c "f() { x() { _;}; x() { _;} </dev/null || echo vulnerable Segmentation fault vulnerable jdebert@demonstrabo:~>

Doesn't bashes documentation explain that this is suposed to happen?

...

jdebert@demonstrabo:~> rpm -q bash bash-4.2-61.15.1.i586

jd

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Bernhard Voelker

13 Oct 13 Oct

06:44

On 10/12/2014 06:06 PM, jdebert wrote:

...

bash -c "f() { x() { _;}; x() { _;} </dev/null || echo vulnerable Segmentation fault vulnerable

I'd file a bug for this. It's "nice" that the few existing shellshocker tests pass, but it's not okay that bash segfaults in other cases. Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Ruben Safir

12 Oct 12 Oct

18:40

Please Marcus, I'm confused. www:~ # bash -c "f() { x() { _;}; x() { _;} <

...

2>/dev/null || echo vulnerable Segmentation fault vulnerable www:~ # rpm -q bash bash-4.2-61.15.1.i586

That is after doing an update Ruben On Fri, Oct 10, 2014 at 08:10:41AM +0200, Marcus Meissner wrote:

...

On Wed, Oct 08, 2014 at 08:23:42PM +0200, MarkusGMX wrote:

...
Hello,

I just updated my SuSE 13.1 system, bash to GNU bash, version 4.2.47(1)-release (x86_64-suse-linux-gnu) which is bash-4.2-68.8.1.x86_64.rpm

But according to https://shellshocker.net/ I am still vulnerable to Exploit 7 (CVE-2014-6277) :

...
bash -c "f() { x() { _;}; x() { _;} </dev/null || echo vulnerable Segmentation fault vulnerable

I read "Note from the SUSE Security Team This issue is already mitigated by the function hardening patch introduced in the update for CVE-2014-7169.

Novell Bugzilla entries: 898664, 898762, 898812, 898884 " [ http://support.novell.com/security/cve/CVE-2014-6277.html ]

which does not seem to be the correct.

Any ideas when this will be fixed?

I fixed the script on shellshocker.net.

Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Brendan McKenna

19:19

Hi, The current advice on the shellshocker.net web site is to run the following: curl https://shellshocker.net/shellshock_test.sh | bash On a 13.1 system with bash-4.2-68.8.1.x86_64, every test results in a "not vulnerable" message.... Brendan On 12/10/14 19:40, Ruben Safir wrote:

...

Please Marcus, I'm confused.

www:~ # bash -c "f() { x() { _;}; x() { _;} <
...
2>/dev/null || echo vulnerable Segmentation fault vulnerable www:~ # rpm -q bash bash-4.2-61.15.1.i586

That is after doing an update

Ruben

On Fri, Oct 10, 2014 at 08:10:41AM +0200, Marcus Meissner wrote:

...
On Wed, Oct 08, 2014 at 08:23:42PM +0200, MarkusGMX wrote:

...
Hello,

I just updated my SuSE 13.1 system, bash to GNU bash, version 4.2.47(1)-release (x86_64-suse-linux-gnu) which is bash-4.2-68.8.1.x86_64.rpm

But according to https://shellshocker.net/ I am still vulnerable to Exploit 7 (CVE-2014-6277) :

...
bash -c "f() { x() { _;}; x() { _;} </dev/null || echo vulnerable Segmentation fault vulnerable

I read "Note from the SUSE Security Team This issue is already mitigated by the function hardening patch introduced in the update for CVE-2014-7169.

Novell Bugzilla entries: 898664, 898762, 898812, 898884 " [ http://support.novell.com/security/cve/CVE-2014-6277.html ]

which does not seem to be the correct.

Any ideas when this will be fixed?

I fixed the script on shellshocker.net.

Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

James Knott

19:22

New subject: [opensuse] Security: bash: still vulnerable ( CVE-2014-6277 )

On 10/12/2014 03:19 PM, Brendan McKenna wrote:

...

The current advice on the shellshocker.net web site is to run the following:

curl https://shellshocker.net/shellshock_test.sh | bash

On a 13.1 system with bash-4.2-68.8.1.x86_64, every test results in a "not vulnerable" message....

Same here -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

David Haller

13 Oct 13 Oct

04:38

New subject: [opensuse] Security: bash: still vulnerable ( CVE-2014-6277 )

Hello, On Sun, 12 Oct 2014, James Knott wrote:

...

On 10/12/2014 03:19 PM, Brendan McKenna wrote:

...
The current advice on the shellshocker.net web site is to run the following:

curl https://shellshocker.net/shellshock_test.sh | bash

On a 13.1 system with bash-4.2-68.8.1.x86_64, every test results in a "not vulnerable" message....

Same here

Same here on 12.1 with the "just linked to Base:System/bash" package I build for 12.1-13.1 + Tumbleweed ... $ rpm -q --qf '%{name}-%{version}-%{release}\n%{distribution}\n%{buildtime:date}\n' bash bash-4.2-255.1 home:dnh / openSUSE_12.1_Update_standard Mon 06 Oct 2014 10:32:03 AM CEST $ bash shellshock_test.sh CVE-2014-6271 (original shellshock): not vulnerable CVE-2014-6277 (segfault): not vulnerable CVE-2014-6278 (Florian's patch): not vulnerable CVE-2014-7169 (taviso bug): not vulnerable CVE-2014-7186 (redir_stack bug): not vulnerable CVE-2014-7187 (nested loops off by one): not vulnerable CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable -dnh -- Sheridan: "I'll tell you one thing. If the primates that we came from had known that some day politicians would come out of the gene pool, they'd have stayed up in the trees and written evolution off as a bad idea!" -- Babylon 5, 2x04 - A Distant Star -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Marcus Meissner

16 Oct 16 Oct

08:49

New subject: [opensuse] Security: bash: still vulnerable ( CVE-2014-6277 )

On Mon, Oct 13, 2014 at 06:38:36AM +0200, David Haller wrote:

...

Hello,

On Sun, 12 Oct 2014, James Knott wrote:

...
On 10/12/2014 03:19 PM, Brendan McKenna wrote:

...
The current advice on the shellshocker.net web site is to run the following:

curl https://shellshocker.net/shellshock_test.sh | bash

On a 13.1 system with bash-4.2-68.8.1.x86_64, every test results in a "not vulnerable" message....

Same here

Same here on 12.1 with the "just linked to Base:System/bash" package I build for 12.1-13.1 + Tumbleweed ...

$ rpm -q --qf '%{name}-%{version}-%{release}\n%{distribution}\n%{buildtime:date}\n' bash bash-4.2-255.1 home:dnh / openSUSE_12.1_Update_standard Mon 06 Oct 2014 10:32:03 AM CEST $ bash shellshock_test.sh CVE-2014-6271 (original shellshock): not vulnerable CVE-2014-6277 (segfault): not vulnerable CVE-2014-6278 (Florian's patch): not vulnerable CVE-2014-7169 (taviso bug): not vulnerable CVE-2014-7186 (redir_stack bug): not vulnerable CVE-2014-7187 (nested loops off by one): not vulnerable CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

Thats because I fixed the test on shellshocker.net to detect the actual security issue "better". The actuall bash segfault (not a security issue) might still be there, but either a bash fix was pushed already or will be. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Marcus Meissner

6 Nov 6 Nov

07:48

On Sun, Oct 12, 2014 at 02:40:34PM -0400, Ruben Safir wrote:

...

Please Marcus, I'm confused.

www:~ # bash -c "f() { x() { _;}; x() { _;} <
...
2>/dev/null || echo vulnerable Segmentation fault vulnerable www:~ # rpm -q bash bash-4.2-61.15.1.i586

That is after doing an update

This non-security bug was also fixed in the meantime (during my vacation). Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

3523

Age (days ago)

3552

Last active (days ago)

List overview

Download

12 comments

10 participants

participants (10)

Bernhard Voelker
Brendan McKenna
David Haller
James Knott
jdebert
John Andersen
Marcus Meissner
MarkusGMX
Roger Luedecke
Ruben Safir