X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type; q=dns; s=default; b=Mz1DOc
	ra0iPXV+hhVypEfwMYEfCK2IRONu7yRlWpiWJ8ZOYkveuYnEc5AkrgqjHYOHKRI7
	kUVhVE3UKp3CyfwM3xvau+7PzVNTCNa5feUPcok7d6HFrnm50uz7pLAmLgkbiIWT
	KOnwos41VjxQFoEp4fm89zZz8D0V9TQxS3iQM=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type; s=default; bh=KxEjzlLt//9Z
	GpZNxU85vFqTLZ8=; b=T88CgzlFVJjdRm0qn2EnbdvAsTGGF6h3K76ga8CuyUC/
	JS4yAN64tDPrjJr1K8T931Mj+tm3TOGBlkAj5+LMKzXGIalHcK46NGTIATq2hh9E
	Ov6Am4cl9Weh04K7lraHtW4ZlXgWPTyx6vKoP+LCF3mIPhMAGHa9OAde+72N6xE=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.4 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD,SEM_FRESH,SPF_HELO_PASS,SPF_PASS,URIBL_RED,URIBL_RHS_DOB autolearn=ham version=3.3.2
X-HELO: mx1.redhat.com
Message-ID: <542B6B1F.9050801@redhat.com>
Date: Tue, 30 Sep 2014 20:46:55 -0600
From: Eric Blake <eblake AT redhat DOT com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: [ANNOUNCEMENT] Updated: bash-4.1.14-7
References: <announce DOT 5429CDA3 DOT 8080300 AT byu DOT net> <loom DOT 20141001T033822-607 AT post DOT gmane DOT org>
In-Reply-To: <loom.20141001T033822-607@post.gmane.org>
OpenPGP: url=http://people.redhat.com/eblake/eblake.gpg
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="tOeX8qXfX1DTlDMpsIPXIXPFBRuBFdKcd"
X-IsSubscribed: yes

--tOeX8qXfX1DTlDMpsIPXIXPFBRuBFdKcd
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 09/30/2014 07:42 PM, Andy wrote:
> Eric Blake (cygwin <ebb9 <at> byu.net> writes:
>> This is a minor rebuild which picks up an upstream patch to fix
>> CVE-2014-7169 and all other ShellShock attacks (4.1.13-6 was also safe,
>> but used a slightly different downstream patch that used '()' instead of
>> '%%' in environment variables, and which was overly restrictive on
>> importing functions whose name was not an identifier).  There are still
>> known parser crashers (such as CVE-2014-7186, CVE-2014-7187, and
>> CVE-2014-6277) where upstream will probably issue patches soon; but
>> while those issues can trigger a local crash, they cannot be exploited
>> for escalation of privilege via arbitrary variable contents by this
>> build.  Left unpatched, a vulnerable version of bash could allow
>> arbitrary code execution via specially crafted environment variables,
>> and was exploitable through a number of remote services, so it is highly
>> recommended that you upgrade
>=20
> I found this to be a good test site, with a comprehensive list of
> exploits and explicit description of what to expect in order to decide
> whether an exploit is still active: http://shellshocker.net

That site is not 100% accurate.

Among others, it claims that:

env X=3D' () { }; echo hello' bash -c 'date'

can output hello on vulnerable bash.  That is untrue; no version of bash
exists with that behavior (the shellshock behavior REQUIRES the first
four bytes of a vulnerable variable to be "() {", but that example
started with space).

Furthermore, it claims that:

bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF
<<EOF <<EOF <<EOF <<EOF <<EOF' ||
echo "CVE-2014-7186 vulnerable, redir_stack"

proves that bash is vulnerable to shellshock.  This is a half-truth.  It
proves that bash's parser is buggy (and cygwin's bash-4.1.14-7 STILL has
that bug, because the bug is still present upstream), but you are ONLY
vulnerable to ShellShock if the parser can be called by arbitrary
variable contents.  That is, to prove you are vulnerable, you have to
test something like:

env x=3D'() { true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF
<<EOF <<EOF <<EOF <<EOF <<EOF' bash -c :

and if THAT dumps core, then you are vulnerable to shellshock. If you
apply all the latest upstream bash patches, it is impossible for that
sequence to dump core, because arbitrary variable assignments no longer
trigger calls into the (still-buggy) parser.

So please don't spread FUD.  Cygwin bash is no longer vulnerable to
shellshock, even if it still has parser bugs.

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--tOeX8qXfX1DTlDMpsIPXIXPFBRuBFdKcd
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg

iQEcBAEBCAAGBQJUK2sfAAoJEKeha0olJ0NqOsQIAKnpMi6WjJGeD+WuretQ2Hjv
ggvzErkY9yzsW9A04/SheCjf6RjC1hipe1rFwzh26u3wzviVRshQwgEt/28sW5M+
sCFqpclj8j8CpbFR5RBhSQb/88xjSrkwm+KtIEuIC/HU7o0JLndsFsNbFyJ0LU8y
BbBuiIkU8Zr1inM9MUgSFbxJWjuuw+HIwzK9Cp7uT/Ky88cQo5zB08pT97nY5zMA
tA0TOXym6BdoTMa58QbCL3uem0VMy+gWuzvCGUSVFJ+l8GiQ4Fbs0pchw9oO9gbS
iGQeIuiQyeUI08CLreNyN/5ywBVyN3my3koJjPL2adFunnS5/84pFzEMg8lL1W0=
=EraY
-----END PGP SIGNATURE-----

--tOeX8qXfX1DTlDMpsIPXIXPFBRuBFdKcd--