On 9/30/2014 1:54 PM, Jung-uk Kim wrote: > On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote: >> On 9/29/2014 11:01 AM, Mike Tancsa wrote: >>> On 9/26/2014 5:01 PM, Bryan Drewery wrote: >>>> On 9/26/2014 12:41 PM, Bryan Drewery wrote: >>>>> On 9/26/2014 11:51 AM, Bryan Drewery wrote: >>>>>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >>>>>>> Apparently, the full fix is still not delivered, accordingly to this: >>>>>>> http://seclists.org/oss-sec/2014/q3/741 >>>>>>> >>>>>>> Kind regards, >>>>>>> Bartek Rutkowski >>>>>>> >>>>>> >>>>>> I'm pretty sure they call that a "feature". This is a bit different. >>>> >>>> I've disabled environment function importing in the port. Using >>>> --import-functions will allow it to work if you need it. >>> >>> Hi Bryan, >>> With the latest ports, bashcheck still sees some issues with bash. >>> Are these false positives on FreeBSD ? >>> >>> Using >>> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >>> >>> Not vulnerable to CVE-2014-6271 (original shellshock) >>> Not vulnerable to CVE-2014-7169 (taviso bug) >>> ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash >>> -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null >>> Vulnerable to CVE-2014-7186 (redir_stack bug) >>> Test for CVE-2014-7187 not reliable without address sanitizer >>> Variable function parser inactive, likely safe from unknown parser bugs >>> >>> ---Mike >> >> Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187. > > Applying the first patch for parse.y from the following post passed the > tests for me. > > http://www.openwall.com/lists/oss-security/2014/09/25/32 > > In fact, all major Linux distros seem to use it now. > > FYI, > > Jung-uk Kim
For some reason the redir_stack issue is not showing up at all for me on head without the patch. It does show up on an 8.4 system of mine without the patch though. I have applied it now to the port. -- Regards, Bryan Drewery
signature.asc
Description: OpenPGP digital signature
