| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:date:from:mime-version:to:subject | |
| :references:in-reply-to:content-type; q=dns; s=default; b=Iqja9m | |
| J+JG2DIFN4+pF8b23lET6xAqrz+GxLSqqVv2Ox+DlJzsfZ2wZDIqZoe69xo9qtcq | |
| UnCz8zWdEJ6OLVG/5zFLPR3F7MTDNloGjbIdOwBLxJARlW1bhQqk2xwxotgEini3 | |
| Y1h7s5y7JlqLnBVfXPT/Xpp10AnxC3OYspgwQ= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:date:from:mime-version:to:subject | |
| :references:in-reply-to:content-type; s=default; bh=eDztS8Mnp2cz | |
| qjdjYwlKI6/rspo=; b=gZ3RWm0LD/uZRXAq4Xz+IGpNKPppTArZR1XkpgGbUwDw | |
| H6xgJ2dVDxUtlA7oac+k8JhjwPA33E2bvMiUGz7bHJXbHZ46cXrwrbrcMXoCuC31 | |
| 0kVt6AhbtNSO9UANu/0mFbirP7UFWK4xxt1fzavyBP6mlITbseJvyIHi+/sYmm0= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=-2.4 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.2 |
| X-HELO: | mx1.redhat.com |
| Message-ID: | <5425C87C.8070504@redhat.com> |
| Date: | Fri, 26 Sep 2014 14:11:40 -0600 |
| From: | Eric Blake <eblake AT redhat DOT com> |
| User-Agent: | Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 |
| MIME-Version: | 1.0 |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: cygwin bash and Shellshock / CVE-2014-6271 & CVE-2014-7169 |
| References: | <000001cfd9c0$c599c150$50cd43f0$@belarc.com> |
| In-Reply-To: | <000001cfd9c0$c599c150$50cd43f0$@belarc.com> |
| OpenPGP: | url=http://people.redhat.com/eblake/eblake.gpg |
| X-IsSubscribed: | yes |
--7tQNOSHgIU8DFrLT6xxNbDm74dkLNOeSK
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
On 09/26/2014 01:33 PM, Richard DeFuria wrote:
> Hello,
>=20
> I downloaded the latest setup and installed the latest packages on my Win=
8.1
> x64 box.
>=20
> It seems as though my cygwin bash shell has been patched against
> CVE-2014-6271 as per:
> $ env x=3D'() { :;}; echo vulnerable' bash -c "echo this is a test"
> bash: warning: x: ignoring function definition attempt
> bash: error importing function definition for `x'
> this is a test
>=20
> However, it is still susceptible to CVE-2014-7169 as per:
> $ env X=3D'() { (a)=3D>\' sh -c "echo date"; cat echo
> sh: X: line 1: syntax error near unexpected token `=3D'
> sh: X: line 1: `'
> sh: error importing function definition for `X'
> Fri, Sep 26, 2014 3:23:15 PM
>=20
> That is, the 'original' Shellshock vulnerability is fixed, but not the 'n=
ew'
> Shellshock vulnerability.
>=20
> Is this correct?
Correct. Patience please; I'm still in the middle of testing my
4.1.13-6 build, but it WILL be out today, as I already promised:
https://cygwin.com/ml/cygwin/2014-09/msg00400.html
Furthermore, while there are already known exploits in the wild for
CVE-2014-6271, we have not yet seen as much effort to exploit
CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187; meanwhile, these latter
three are a lot less damaging than the first in terms of severity.
Please read
https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about=
-the-shellshock-bash-flaws/;
my delay in patching Cygwin is for the same reason Red Hat delayed in
the second half of patching their products - I want to make sure that
the fixed version on bash will be immune to ALL parser bugs (whereas the
upstream patch 4.1.13 only patched CVE-2014-7169, my build will solve
all three CVE). If upstream later releases 4.1.14, you can be assured
that I will once again rebuild bash with that fix.
By the way, I have NOT yet seen anyone trying to exploit CVE-2014-7186;
but you can do a fairly easy denial of service, or feasibly cause a
heap-smashing attack for arbitrary code execution, merely by nesting
enough heredocs into a single function definition, on a version of bash
that uses only the upstream patches (the flaw that upstream has is that
it even parses normal environment variables as functions in the first
place); the fix that I'm applying, as a copy from Red Hat, moves
functions into a different namespace so that normal environment
variables CANNOT be parsed as functions, and thus bugs in the parser
(which may still well exist, as evidenced by CVE-2014-7186) at least
won't be exploitable by remote attackers.
--=20
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
--7tQNOSHgIU8DFrLT6xxNbDm74dkLNOeSK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
iQEcBAEBCAAGBQJUJch8AAoJEKeha0olJ0NqiIUH/RJrqSGt0P/qLX7Sdff1jMtL
u7T3Ti2F/yMzYHrSt25SkhkCdEBmK+2lXr8lOb8SXAkUFNIbsqmsIrO3nvx1GyuQ
P3GwnkXG/eADSAqAeJ4GnM2J+NySqCXgHvM+o1MOKUaQ4bvxTrDDK1d2FanTC5IT
wKC7XPCftmaVLL9zu3IdIEHdW3IxjqZ7B+aWygiTLNNNN96f/EU/5k2bm5iXjX23
mqqCYVWJ+oeMSzT2RYNvGyRuKH/NB+DJ775uASGfDLviFkd8yEYMuaRBqjQH+CBh
2DdX4XBs+d2QIYKDt3IFostAsnD2XyIPPkFi7AVkZv5c2qZW4ldz/Zj5+8NG56o=
=iTmT
-----END PGP SIGNATURE-----
--7tQNOSHgIU8DFrLT6xxNbDm74dkLNOeSK--
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |