X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type; q=dns; s=default; b=Iqja9m
	J+JG2DIFN4+pF8b23lET6xAqrz+GxLSqqVv2Ox+DlJzsfZ2wZDIqZoe69xo9qtcq
	UnCz8zWdEJ6OLVG/5zFLPR3F7MTDNloGjbIdOwBLxJARlW1bhQqk2xwxotgEini3
	Y1h7s5y7JlqLnBVfXPT/Xpp10AnxC3OYspgwQ=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type; s=default; bh=eDztS8Mnp2cz
	qjdjYwlKI6/rspo=; b=gZ3RWm0LD/uZRXAq4Xz+IGpNKPppTArZR1XkpgGbUwDw
	H6xgJ2dVDxUtlA7oac+k8JhjwPA33E2bvMiUGz7bHJXbHZ46cXrwrbrcMXoCuC31
	0kVt6AhbtNSO9UANu/0mFbirP7UFWK4xxt1fzavyBP6mlITbseJvyIHi+/sYmm0=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.4 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.2
X-HELO: mx1.redhat.com
Message-ID: <5425C87C.8070504@redhat.com>
Date: Fri, 26 Sep 2014 14:11:40 -0600
From: Eric Blake <eblake AT redhat DOT com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: cygwin bash and Shellshock / CVE-2014-6271 & CVE-2014-7169
References: <000001cfd9c0$c599c150$50cd43f0$@belarc.com>
In-Reply-To: <000001cfd9c0$c599c150$50cd43f0$@belarc.com>
OpenPGP: url=http://people.redhat.com/eblake/eblake.gpg
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7tQNOSHgIU8DFrLT6xxNbDm74dkLNOeSK"
X-IsSubscribed: yes

--7tQNOSHgIU8DFrLT6xxNbDm74dkLNOeSK
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 09/26/2014 01:33 PM, Richard DeFuria wrote:
> Hello,
>=20
> I downloaded the latest setup and installed the latest packages on my Win=
8.1
> x64 box.
>=20
> It seems as though my cygwin bash shell has been patched against
> CVE-2014-6271 as per:
> 	$ env x=3D'() { :;}; echo vulnerable' bash -c "echo this is a test"
> 	bash: warning: x: ignoring function definition attempt
> 	bash: error importing function definition for `x'
> 	this is a test
>=20
> However, it is still susceptible to CVE-2014-7169 as per:
> 	$ env X=3D'() { (a)=3D>\' sh -c "echo date"; cat echo
> 	sh: X: line 1: syntax error near unexpected token `=3D'
> 	sh: X: line 1: `'
> 	sh: error importing function definition for `X'
> 	Fri, Sep 26, 2014  3:23:15 PM
>=20
> That is, the 'original' Shellshock vulnerability is fixed, but not the 'n=
ew'
> Shellshock vulnerability.
>=20
> Is this correct?

Correct.  Patience please; I'm still in the middle of testing my
4.1.13-6 build, but it WILL be out today, as I already promised:
https://cygwin.com/ml/cygwin/2014-09/msg00400.html

Furthermore, while there are already known exploits in the wild for
CVE-2014-6271, we have not yet seen as much effort to exploit
CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187; meanwhile, these latter
three are a lot less damaging than the first in terms of severity.
Please read
https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about=
-the-shellshock-bash-flaws/;
my delay in patching Cygwin is for the same reason Red Hat delayed in
the second half of patching their products - I want to make sure that
the fixed version on bash will be immune to ALL parser bugs (whereas the
upstream patch 4.1.13 only patched CVE-2014-7169, my build will solve
all three CVE).  If upstream later releases 4.1.14, you can be assured
that I will once again rebuild bash with that fix.

By the way, I have NOT yet seen anyone trying to exploit CVE-2014-7186;
but you can do a fairly easy denial of service, or feasibly cause a
heap-smashing attack for arbitrary code execution, merely by nesting
enough heredocs into a single function definition, on a version of bash
that uses only the upstream patches (the flaw that upstream has is that
it even parses normal environment variables as functions in the first
place); the fix that I'm applying, as a copy from Red Hat, moves
functions into a different namespace so that normal environment
variables CANNOT be parsed as functions, and thus bugs in the parser
(which may still well exist, as evidenced by CVE-2014-7186) at least
won't be exploitable by remote attackers.

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--7tQNOSHgIU8DFrLT6xxNbDm74dkLNOeSK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg

iQEcBAEBCAAGBQJUJch8AAoJEKeha0olJ0NqiIUH/RJrqSGt0P/qLX7Sdff1jMtL
u7T3Ti2F/yMzYHrSt25SkhkCdEBmK+2lXr8lOb8SXAkUFNIbsqmsIrO3nvx1GyuQ
P3GwnkXG/eADSAqAeJ4GnM2J+NySqCXgHvM+o1MOKUaQ4bvxTrDDK1d2FanTC5IT
wKC7XPCftmaVLL9zu3IdIEHdW3IxjqZ7B+aWygiTLNNNN96f/EU/5k2bm5iXjX23
mqqCYVWJ+oeMSzT2RYNvGyRuKH/NB+DJ775uASGfDLviFkd8yEYMuaRBqjQH+CBh
2DdX4XBs+d2QIYKDt3IFostAsnD2XyIPPkFi7AVkZv5c2qZW4ldz/Zj5+8NG56o=
=iTmT
-----END PGP SIGNATURE-----

--7tQNOSHgIU8DFrLT6xxNbDm74dkLNOeSK--