X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:subject :references:in-reply-to:content-type; q=dns; s=default; b=Iqja9m J+JG2DIFN4+pF8b23lET6xAqrz+GxLSqqVv2Ox+DlJzsfZ2wZDIqZoe69xo9qtcq UnCz8zWdEJ6OLVG/5zFLPR3F7MTDNloGjbIdOwBLxJARlW1bhQqk2xwxotgEini3 Y1h7s5y7JlqLnBVfXPT/Xpp10AnxC3OYspgwQ= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:subject :references:in-reply-to:content-type; s=default; bh=eDztS8Mnp2cz qjdjYwlKI6/rspo=; b=gZ3RWm0LD/uZRXAq4Xz+IGpNKPppTArZR1XkpgGbUwDw H6xgJ2dVDxUtlA7oac+k8JhjwPA33E2bvMiUGz7bHJXbHZ46cXrwrbrcMXoCuC31 0kVt6AhbtNSO9UANu/0mFbirP7UFWK4xxt1fzavyBP6mlITbseJvyIHi+/sYmm0= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.4 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.2 X-HELO: mx1.redhat.com Message-ID: <5425C87C.8070504@redhat.com> Date: Fri, 26 Sep 2014 14:11:40 -0600 From: Eric Blake User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 MIME-Version: 1.0 To: cygwin AT cygwin DOT com Subject: Re: cygwin bash and Shellshock / CVE-2014-6271 & CVE-2014-7169 References: <000001cfd9c0$c599c150$50cd43f0$@belarc.com> In-Reply-To: <000001cfd9c0$c599c150$50cd43f0$@belarc.com> OpenPGP: url=http://people.redhat.com/eblake/eblake.gpg Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7tQNOSHgIU8DFrLT6xxNbDm74dkLNOeSK" X-IsSubscribed: yes --7tQNOSHgIU8DFrLT6xxNbDm74dkLNOeSK Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 09/26/2014 01:33 PM, Richard DeFuria wrote: > Hello, >=20 > I downloaded the latest setup and installed the latest packages on my Win= 8.1 > x64 box. >=20 > It seems as though my cygwin bash shell has been patched against > CVE-2014-6271 as per: > $ env x=3D'() { :;}; echo vulnerable' bash -c "echo this is a test" > bash: warning: x: ignoring function definition attempt > bash: error importing function definition for `x' > this is a test >=20 > However, it is still susceptible to CVE-2014-7169 as per: > $ env X=3D'() { (a)=3D>\' sh -c "echo date"; cat echo > sh: X: line 1: syntax error near unexpected token `=3D' > sh: X: line 1: `' > sh: error importing function definition for `X' > Fri, Sep 26, 2014 3:23:15 PM >=20 > That is, the 'original' Shellshock vulnerability is fixed, but not the 'n= ew' > Shellshock vulnerability. >=20 > Is this correct? Correct. Patience please; I'm still in the middle of testing my 4.1.13-6 build, but it WILL be out today, as I already promised: https://cygwin.com/ml/cygwin/2014-09/msg00400.html Furthermore, while there are already known exploits in the wild for CVE-2014-6271, we have not yet seen as much effort to exploit CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187; meanwhile, these latter three are a lot less damaging than the first in terms of severity. Please read https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about= -the-shellshock-bash-flaws/; my delay in patching Cygwin is for the same reason Red Hat delayed in the second half of patching their products - I want to make sure that the fixed version on bash will be immune to ALL parser bugs (whereas the upstream patch 4.1.13 only patched CVE-2014-7169, my build will solve all three CVE). If upstream later releases 4.1.14, you can be assured that I will once again rebuild bash with that fix. By the way, I have NOT yet seen anyone trying to exploit CVE-2014-7186; but you can do a fairly easy denial of service, or feasibly cause a heap-smashing attack for arbitrary code execution, merely by nesting enough heredocs into a single function definition, on a version of bash that uses only the upstream patches (the flaw that upstream has is that it even parses normal environment variables as functions in the first place); the fix that I'm applying, as a copy from Red Hat, moves functions into a different namespace so that normal environment variables CANNOT be parsed as functions, and thus bugs in the parser (which may still well exist, as evidenced by CVE-2014-7186) at least won't be exploitable by remote attackers. --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --7tQNOSHgIU8DFrLT6xxNbDm74dkLNOeSK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg iQEcBAEBCAAGBQJUJch8AAoJEKeha0olJ0NqiIUH/RJrqSGt0P/qLX7Sdff1jMtL u7T3Ti2F/yMzYHrSt25SkhkCdEBmK+2lXr8lOb8SXAkUFNIbsqmsIrO3nvx1GyuQ P3GwnkXG/eADSAqAeJ4GnM2J+NySqCXgHvM+o1MOKUaQ4bvxTrDDK1d2FanTC5IT wKC7XPCftmaVLL9zu3IdIEHdW3IxjqZ7B+aWygiTLNNNN96f/EU/5k2bm5iXjX23 mqqCYVWJ+oeMSzT2RYNvGyRuKH/NB+DJ775uASGfDLviFkd8yEYMuaRBqjQH+CBh 2DdX4XBs+d2QIYKDt3IFostAsnD2XyIPPkFi7AVkZv5c2qZW4ldz/Zj5+8NG56o= =iTmT -----END PGP SIGNATURE----- --7tQNOSHgIU8DFrLT6xxNbDm74dkLNOeSK--