bash incomplete fix for CVE-2014-6271

Bug #1373781 reported by Robin H. Johnson on 2014-09-25
370
This bug affects 21 people
Affects Status Importance Assigned to Milestone
bash (Ubuntu)
Undecided
Marc Deslauriers
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Marc Deslauriers
Utopic
Undecided
Marc Deslauriers

Bug Description

The fixes for CVE-2014-6271 do NOT work! Security vuln, but should be public, this is known already.

Ubuntu 14.04 LTS: bash 4.3-7ubuntu1.1
Ubuntu 12.04 LTS: bash 4.2-2ubuntu2.2
Ubuntu 10.04 LTS: bash 4.1-2ubuntu3.1

Testcase:
rm -f echo && env -i X='() { (a)=>\' bash -c 'echo id'; cat echo

expected output:
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
id

actual output:
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
uid=0(root) gid=0(root) groups=0(root)

Robin H. Johnson (robbat2) wrote :

http://seclists.org/oss-sec/2014/q3/685
CVE-2014-7169 is assigned for the failed patch

Marc Deslauriers (mdeslaur) wrote :

Proposed patch for CVE-2014-7169 here:

http://www.openwall.com/lists/oss-security/2014/09/25/10

I am building bash updates for Ubuntu containing the proposed fix here and will publish them once the fix has been made official:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

information type: Private Security → Public Security
summary: - bash CVE-2014-6271 fix does NOT work
+ bash incomplete fix for CVE-2014-6271
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in bash (Ubuntu):
status: New → Confirmed
Harry Willis (hwillis19) wrote :

Marc, I've just upgraded to 4.3.7-ubuntu1.2 in trusty (https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.2) which I assume was supposed to protect against the test case provided for CVE-2014-7169. It doesn't appear to have done so. Confirmed that the upgrade was successfully applied.

harry@mars:~ aptitude show bash | egrep '^Version'
Version: 4.3-7ubuntu1.2

harry@mars:~$ md5sum /bin/bash Downloads/bash_4.3-7ubuntu1.2_amd64/bin/bash
3c263963be49239e113a5794d54b732a /bin/bash
3c263963be49239e113a5794d54b732a Downloads/bash_4.3-7ubuntu1.2_amd64/bin/bash

harry@mars:~$ cat echo
cat: echo: No such file or directory

harry@mars:~$ env -i X='() { (a)=>\' bash -c 'echo date'
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'

harry@mars:~$ cat echo
Fri Sep 26 00:38:09 BST 2014

Harry Willis (hwillis19) wrote :

Re the above: the patch was *not* correctly applied in trusty package bash_4.3-7ubuntu1.2.

lucid package bash_4.3-7ubuntu1.2 appears to have been upgraded fine, and handles the test case correctly.

harry@mars:~$ md5sum Downloads/bash_4.3-7ubuntu1.1_amd64/bin/bash Downloads/bash_4.3-7ubuntu1.2_amd64/bin/bash
3c263963be49239e113a5794d54b732a Downloads/bash_4.3-7ubuntu1.1_amd64/bin/bash
3c263963be49239e113a5794d54b732a Downloads/bash_4.3-7ubuntu1.2_amd64/bin/bash

harry@mars:~$ md5sum Downloads/bash_4.2-2ubuntu2.2_amd64/bin/bash Downloads/bash_4.2-2ubuntu2.3_amd64/bin/bash
d63ff62f142e76205e89e4a4de553fec Downloads/bash_4.2-2ubuntu2.2_amd64/bin/bash
5ee533c7cd3a8246b4a3d7a29ffbe0b2 Downloads/bash_4.2-2ubuntu2.3_amd64/bin/bash

harry@mars:~$ env -i PATH="Downloads/bash_4.2-2ubuntu2.3_amd64/bin:$PATH" X='() { (a)=>\' bash -c 'echo date'; cat echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
date
cat: echo: No such file or directory

Ryan Tucker (rtucker) wrote :

For completeness, I've opened Bug #1374207 on the issue with trusty. Good news is that lucid and precise seem OK.

Marc Deslauriers (mdeslaur) wrote :

There was a build issue with the Ubuntu 14.04 package, and I am in the process of fixing it now. An update will be released within the hour.

The other releases should be ok.

Changed in bash (Ubuntu Lucid):
status: New → Fix Released
Changed in bash (Ubuntu Precise):
status: New → Fix Released
Changed in bash (Ubuntu Trusty):
status: New → In Progress
Changed in bash (Ubuntu Utopic):
status: Confirmed → In Progress
Changed in bash (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in bash (Ubuntu Utopic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Fumihito YOSHIDA (hito) wrote :

Hi,

Red Hat released new packages at https://rhn.redhat.com/errata/RHSA-2014-1306.html, that include fix for CVE-2014-7169, and they fixed with another way, and another problems (OOB memory access).

We can investigate from RH SRPM, http://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/bash-4.1.2-15.el6_5.2.src.rpm

IMHO, Red Hat fix included 3 patches.
 - bash-4.2-cve-2014-7169-0.patch : parser bug fix-A for CVE-2014-7169 (same as http://seclists.org/oss-sec/2014/q3/685 )
 - bash-4.2-cve-2014-7169-1.patch : introduce variable isolation in function import situation. another fix for CVE-2014-7169. this is new patch.
 - bash-4.2-cve-2014-7169-2.patch : OOB memory access(new problem) fix.

They probosed these new patches at http://www.openwall.com/lists/oss-security/2014/09/25/32 .

I make a proposition about that, could we apply these new patches? or they are not important?

Mathew Hodson (mathew-hodson) wrote :

Fixed in the new Ubuntu 14.04 package https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.3

Changed in bash (Ubuntu Trusty):
status: In Progress → Fix Released
Marc Deslauriers (mdeslaur) wrote :

Fumihito YOSHIDA (hito),

We are awaiting comments from the upstream bash developer about the OOB memory fixes, and the variable isolation hardening. We will address those in a later bash update.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bash - 4.3-9ubuntu3

---------------
bash (4.3-9ubuntu3) utopic; urgency=medium

  * SECURITY UPDATE: incomplete fix for CVE-2014-6271 (LP: #1373781)
    - debian/patches/CVE-2014-7169.diff: fix logic in parse.y and y.tab.c.
    - CVE-2014-7169
 -- Marc Deslauriers <email address hidden> Thu, 25 Sep 2014 21:43:10 -0400

Changed in bash (Ubuntu Utopic):
status: In Progress → Fix Released
dino99 (9d9) wrote :

Utopic feedback

oem@u32:~$ aptitude show bash | egrep '^Version'
Version: 4.3-9ubuntu3
oem@u32:~$ env x='() { :;}; echo hackable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
oem@u32:~$ env -i X='() { (a)=>\' bash -c 'echo date'
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
date

Seems still having problem

Marc Deslauriers (mdeslaur) wrote :

@dino99: both your test cases look good to me. What results were you expecting?

dino99 (9d9) wrote :

@Marc

its only a feedback, and i only see that warning.
if you think its ok, i'm ok too (no skill on my side for commenting)

as i've reported an other bug about that 'warning' thing, i'm closing it too.

Thanks for the answer

Spyros (spyros-q) wrote :

Some additional feedback from 14.04 (using latest 4.3-7ubuntu1.3):

spyros@prod01:~# env -i X='() { (a)=>\' bash -c 'echo date'
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
date

spyros@prod01:~# env X='() { (a)=>\' bash -c "echo date"; cat echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
Fri Sep 26 12:13:33 PDT 2014

I apologize if this is a stupid question, but why is it that the second case still works?
Doesn't this mean that the system is still vulnerable to CVE-2014-7169?

Marc Deslauriers (mdeslaur) wrote :

do you perhaps have a left-over file called 'echo' in that directory?

If so, you need to delete it before running the test.

On 09/26/2014 03:49 PM, Spyros wrote:
> spyros@prod01:~# env X='() { (a)=>\' bash -c "echo date"; cat echo
> bash: X: line 1: syntax error near unexpected token `='
> bash: X: line 1: `'
> bash: error importing function definition for `X'
> Fri Sep 26 12:13:33 PDT 2014
>
> I apologize if this is a stupid question, but why is it that the second case still works?
> Doesn't this mean that the system is still vulnerable to CVE-2014-7169?

Maybe you had a leftover file named "echo" in root's home? If yes,
remove it and retest.

Spyros (spyros-q) wrote :

Thank you for the reply Marc & Simon.
Unfortunately this isn't due to a leftover file.

spyros@prod01:~# env X='() { (a)=>\' bash -c "echo date"; cat echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
Fri Sep 26 12:14:15 PDT 2014
spyros@prod01:~# rm echo
spyros@prod01:~# env X='() { (a)=>\' bash -c "echo date"; cat echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
Fri Sep 26 12:15:24 PDT 2014

The only difference between the "working" and "non-working" version that I spot, is the -i argument to env, but I'm not sure why/how the empty environment would affect this.

Lars Heer (l-heer) wrote :

Since the last update:
ii bash 4.3-7ubuntu1.4 amd64 GNU Bourne Again SHell

the following happen:
lars@dachs:/tmp$ rm -f echo && env -i X='() { (a)=>\' bash -c 'echo id'; cat echo
id
cat: echo: No such file or directory
lars@dachs:/tmp$

Lars Heer (l-heer) wrote :

Maybe this helps others to verify:
https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck

lars@dachs:~$ ./bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers