X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:subject :references:in-reply-to:content-type; q=dns; s=default; b=Mz1DOc ra0iPXV+hhVypEfwMYEfCK2IRONu7yRlWpiWJ8ZOYkveuYnEc5AkrgqjHYOHKRI7 kUVhVE3UKp3CyfwM3xvau+7PzVNTCNa5feUPcok7d6HFrnm50uz7pLAmLgkbiIWT KOnwos41VjxQFoEp4fm89zZz8D0V9TQxS3iQM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:subject :references:in-reply-to:content-type; s=default; bh=KxEjzlLt//9Z GpZNxU85vFqTLZ8=; b=T88CgzlFVJjdRm0qn2EnbdvAsTGGF6h3K76ga8CuyUC/ JS4yAN64tDPrjJr1K8T931Mj+tm3TOGBlkAj5+LMKzXGIalHcK46NGTIATq2hh9E Ov6Am4cl9Weh04K7lraHtW4ZlXgWPTyx6vKoP+LCF3mIPhMAGHa9OAde+72N6xE= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.4 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD,SEM_FRESH,SPF_HELO_PASS,SPF_PASS,URIBL_RED,URIBL_RHS_DOB autolearn=ham version=3.3.2 X-HELO: mx1.redhat.com Message-ID: <542B6B1F.9050801@redhat.com> Date: Tue, 30 Sep 2014 20:46:55 -0600 From: Eric Blake User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: cygwin AT cygwin DOT com Subject: Re: [ANNOUNCEMENT] Updated: bash-4.1.14-7 References: In-Reply-To: OpenPGP: url=http://people.redhat.com/eblake/eblake.gpg Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="tOeX8qXfX1DTlDMpsIPXIXPFBRuBFdKcd" X-IsSubscribed: yes --tOeX8qXfX1DTlDMpsIPXIXPFBRuBFdKcd Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 09/30/2014 07:42 PM, Andy wrote: > Eric Blake (cygwin byu.net> writes: >> This is a minor rebuild which picks up an upstream patch to fix >> CVE-2014-7169 and all other ShellShock attacks (4.1.13-6 was also safe, >> but used a slightly different downstream patch that used '()' instead of >> '%%' in environment variables, and which was overly restrictive on >> importing functions whose name was not an identifier). There are still >> known parser crashers (such as CVE-2014-7186, CVE-2014-7187, and >> CVE-2014-6277) where upstream will probably issue patches soon; but >> while those issues can trigger a local crash, they cannot be exploited >> for escalation of privilege via arbitrary variable contents by this >> build. Left unpatched, a vulnerable version of bash could allow >> arbitrary code execution via specially crafted environment variables, >> and was exploitable through a number of remote services, so it is highly >> recommended that you upgrade >=20 > I found this to be a good test site, with a comprehensive list of > exploits and explicit description of what to expect in order to decide > whether an exploit is still active: http://shellshocker.net That site is not 100% accurate. Among others, it claims that: env X=3D' () { }; echo hello' bash -c 'date' can output hello on vulnerable bash. That is untrue; no version of bash exists with that behavior (the shellshock behavior REQUIRES the first four bytes of a vulnerable variable to be "() {", but that example started with space). Furthermore, it claims that: bash -c 'true <