On 09/26/2014 01:33 PM, Richard DeFuria wrote:
> Hello,
>
> I downloaded the latest setup and installed the latest packages on my Win8.1
> x64 box.
>
> It seems as though my cygwin bash shell has been patched against
> CVE-2014-6271 as per:
> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> bash: warning: x: ignoring function definition attempt
> bash: error importing function definition for `x'
> this is a test
>
> However, it is still susceptible to CVE-2014-7169 as per:
> $ env X='() { (a)=>\' sh -c "echo date"; cat echo
> sh: X: line 1: syntax error near unexpected token `='
> sh: X: line 1: `'
> sh: error importing function definition for `X'
> Fri, Sep 26, 2014 3:23:15 PM
>
> That is, the 'original' Shellshock vulnerability is fixed, but not the 'new'
> Shellshock vulnerability.
>
> Is this correct?Correct. Patience please; I'm still in the middle of testing my 4.1.13-6 build, but it WILL be out today, as I already promised: https://cygwin.com/ml/cygwin/2014-09/msg00400.html Furthermore, while there are already known exploits in the wild for CVE-2014-6271, we have not yet seen as much effort to exploit CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187; meanwhile, these latter three are a lot less damaging than the first in terms of severity. Please read https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about-the-shellshock-bash-flaws/; my delay in patching Cygwin is for the same reason Red Hat delayed in the second half of patching their products - I want to make sure that the fixed version on bash will be immune to ALL parser bugs (whereas the upstream patch 4.1.13 only patched CVE-2014-7169, my build will solve all three CVE). If upstream later releases 4.1.14, you can be assured that I will once again rebuild bash with that fix. By the way, I have NOT yet seen anyone trying to exploit CVE-2014-7186; but you can do a fairly easy denial of service, or feasibly cause a heap-smashing attack for arbitrary code execution, merely by nesting enough heredocs into a single function definition, on a version of bash that uses only the upstream patches (the flaw that upstream has is that it even parses normal environment variables as functions in the first place); the fix that I'm applying, as a copy from Red Hat, moves functions into a different namespace so that normal environment variables CANNOT be parsed as functions, and thus bugs in the parser (which may still well exist, as evidenced by CVE-2014-7186) at least won't be exploitable by remote attackers. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
