bash: specially-crafted environment variables can be used to inject shell commands

We need this fix for already installed environments as well.
Our customers already interesting for this fix.
Packages from 6.0 branch should be suitable, but we need these packages before 6.0 release.

The original fix for the problem was considered incomplete, so the new CVE was assigned:
CVE-2014-7169

The fix for CVE-2014-6271 is incomplete and still allows to (at least) overwrite files. The issue (with lower severity) was re-opened as CVE-2014-7169.

From RedHat: https://access.redhat.com/articles/1200223

Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working on patches in conjunction with the upstream developers as a critical priority. For details on a workaround, please see the FAQ below.

Red Hat advises customers to upgrade to the version of Bash which contains the fix for CVE-2014-6271, and not wait for the patch which fixes CVE-2014-7169. CVE-2014-7169 is a less severe issue and patches for it are being worked on.

Pavel, please make the new Bash package version higher than that one existing in our repositories.

Further vulnerabilities have been discovered: https://github.com/hannob/bashcheck

Package bash has been built from changeset: http://gerrit.mirantis.com/29678
RPM Repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.1-stable-29678/centos
You can build an ISO with this package:
make iso EXTRA_RPM_REPOS="osci-testing,http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.1-stable-29678/centos"

Package bash has been built from changeset: http://gerrit.mirantis.com/29679
DEB Repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.1-stable-29679/ubuntu
You can build an ISO with this package:
make iso EXTRA_DEB_REPOS="http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.1-stable-29679/ubuntu /"

Package bash has been built from changeset: http://gerrit.mirantis.com/29678
RPM Repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.1-stable-29678/centos
You can build an ISO with this package:
make iso EXTRA_RPM_REPOS="osci-testing,http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.1-stable-29678/centos"

Please sync update Bash packages to our public repositories
http://mirror.fuel-infra.org/fwm/

Package bash has been built from changeset: http://gerrit.mirantis.com/29679
DEB Repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.1-stable/ubuntu
You can build an ISO with this package:
make iso EXTRA_DEB_REPOS="http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.1-stable/ubuntu /"

Package bash has been built from changeset: http://gerrit.mirantis.com/29678
RPM Repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.1-stable/centos
You can build an ISO with this package:
make iso EXTRA_RPM_REPOS="osci-testing,http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.1-stable/centos"

The nightly build of Fuel ISO version 5.1.1 has been tested and proved to have an updated bash packages for both Ubuntu and CentOS.

The nightly build of Fuel ISO 6.0 is still to be tested.

Fixed packages are already present in 5.1.1 mirrors, marking as In Progress. Why is it not yet in 6.0 mirrors?

It was decided that the OSCI team would unfreeze the mirrors and update will get to MOS variants from the upstream repositories.

Is it so?

Verified on 5.1.1 ISO #18

Testing /bin/bash ...
Bash version 4.1.2(1)-release

Variable function parser pre/suffixed [(), redhat], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)

VERSION:
  feature_groups:
    - mirantis
  production: "docker"
  release: "5.1.1"
  api: "1.0"
  build_number: "18"
  build_id: "2014-11-17_12-14-23"
  astute_sha: "702af3db6f5bca92525bc8322d7d5d7675ec857e"
  fuellib_sha: "0d3909b9a291880af28dbe48b9c7d25215aa98ea"
  ostf_sha: "64cb59c681658a7a55cc2c09d079072a41beb346"
  nailgun_sha: "2fcab95dc43a248ba867065e96ab764ee73882d1"
  fuelmain_sha: "ff22ca819e6eb7c63b6d7978fdd80ef9b84457d9"

MOS 6.0 still have vulnerable versions. Does this mean that the mirrors were not thawed?

MOS 6.0 Ubuntu mirror is updated with a patched version:

bash (4.2-2ubuntu2.6) precise-security; urgency=medium

  * SECURITY UPDATE: incorrect function definition parsing with
    here-document delimited by end-of-file
    - debian/patches/CVE-2014-6277.diff: properly handle closing delimiter
      in bash/copy_cmd.c, bash/make_cmd.c.
    - CVE-2014-6277
  * SECURITY UPDATE: incorrect function definition parsing via nested
    command substitutions
    - debian/patches/CVE-2014-6278.diff: properly handle certain parsing
      attempts in bash/builtins/evalstring.c, bash/parse.y, bash/shell.h.
    - CVE-2014-6278
  * Updated patches with official upstream versions:
    - debian/patches/CVE-2014-6271.diff
    - debian/patches/CVE-2014-7169.diff
    - debian/patches/variables-affix.diff
    - debian/patches/CVE-2014-718x.diff

CentOS is still vulnerable.

RPM package bash has been built for project packages/centos6/bash
Package version == 4.1.2, package release == 15.3

Changeset: https://review.fuel-infra.org/1196
project: packages/centos6/bash
branch: master
author: Pavel Boldin
committer: Pavel Boldin
subject: Fixing ShellShock vulnerabilities (updating to upstream) (Partial-Bug: #1373965)
status: patchset-created

Files placed on repository:

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-master-1196/centos

RPM package bash has been built for project packages/centos6/bash
Package version == 4.1.2, package release == 15.3

Changeset: https://review.fuel-infra.org/1197
project: packages/centos6/bash
branch: 6.0
author: Pavel Boldin
committer: Pavel Boldin
subject: Fixing ShellShock vulnerabilities (updating to upstream) (Partial-Bug: #1373965)
status: patchset-created

Files placed on repository:
bash-4.1.2-15.3.mira1.x86_64.rpm
bash-debuginfo-4.1.2-15.3.mira1.x86_64.rpm
bash-doc-4.1.2-15.3.mira1.x86_64.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0-stable-1197/centos

RPM package bash has been built for project packages/centos6/bash
Package version == 4.1.2, package release == 15.3

Changeset: https://review.fuel-infra.org/1197
project: packages/centos6/bash
branch: 6.0
author: Pavel Boldin
committer: Pavel Boldin
subject: Fixing ShellShock vulnerabilities (updating to upstream) (Partial-Bug: #1373965)
status: change-merged

Files placed on repository:
bash-4.1.2-15.3.mira1.x86_64.rpm
bash-debuginfo-4.1.2-15.3.mira1.x86_64.rpm
bash-doc-4.1.2-15.3.mira1.x86_64.rpm

Changeset merged. Package placed on primary repository
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0-stable/centos