Serious Bash security vulnerabilities

Serious Bash security vulnerabilities

[Ludovic Courtès]

[-- Attachment #1: Type: text/plain, Size: 839 bytes --]

Yesterday a serious Bash vulnerability was disclosed, which led to the
creation of the bash-cve-2014-6271 branch which is now half built:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
  http://seclists.org/oss-sec/2014/q3/650
  http://hydra.gnu.org/jobset/gnu/bash-cve-2014-6271

However, a few hours later, the fix was found to be incomplete:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

Currently a patch has been posted by the Bash maintainer, but there have
been no reactions yet, and it’s not on ftp.gnu.org yet:

  http://seclists.org/oss-sec/2014/q3/690

We’ll apply it when as soon as there’s some confirmation that it does
solve the problem, and get Hydra to rebuild the whole thing.  We’ll
merge the branch as soon as a reasonable subset has been built.

Ludo’.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

Re: Serious Bash security vulnerabilities

[Ludovic Courtès]

[-- Attachment #1: Type: text/plain, Size: 1060 bytes --]

We’ve decided to merge the ‘bash-cve-2014-6271’ branch: it’s an
incomplete fix, but it’s already an improvement, and it’s completely
built on Hydra for x86.

As for what’s next, quoting Mark on IRC:

<mark_weaver> the other three patches I'm aware of are:
	      http://seclists.org/oss-sec/2014/q3/att-690/eol-pushback.patch
	      (from Chet),
	      http://seclists.org/oss-sec/2014/q3/att-712/parse-oob-4_2.patch
	      (seems non-controversial), and
	      http://seclists.org/oss-sec/2014/q3/att-712/variables-affix-4_2.patch
	      (more radical hardening, not fully compatible, but maybe still a
	      good idea)  [09:40]

[...]

<mark_weaver> FYI, this following message assigns two CVEs (CVE-2014-7186 and
	      CVE-2014-7187) to the two flaws fixed by the parse-oob patch:
	      http://seclists.org/oss-sec/2014/q3/735  [09:45]
<mark_weaver> my feeling is that we should create another branch with at least
	      the eol-pushback and parse-oob patches applied, and start hydra
	      building it

Ludo’.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

Re: Serious Bash security vulnerabilities

[Ludovic Courtès]

[-- Attachment #1: Type: text/plain, Size: 651 bytes --]

ludo@gnu.org (Ludovic Courtès) skribis:

> <mark_weaver> the other three patches I'm aware of are:
> 	      http://seclists.org/oss-sec/2014/q3/att-690/eol-pushback.patch
> 	      (from Chet),
> 	      http://seclists.org/oss-sec/2014/q3/att-712/parse-oob-4_2.patch
> 	      (seems non-controversial), and
> 	      http://seclists.org/oss-sec/2014/q3/att-712/variables-affix-4_2.patch
> 	      (more radical hardening, not fully compatible, but maybe still a
> 	      good idea)  [09:40]

The ‘bash-cve-next’ branch applies the first two patches and is now
being built:

  http://hydra.gnu.org/jobset/gnu/bash-cve-next

Ludo’.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]