Gentoo Archives: gentoo-announce

From: Alex Legler <a3li@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201409-09 ] Bash: Code Injection
Date: Wed, 24 Sep 2014 22:44:41
Message-Id: 542348FB.8020404@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201409-09
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: Bash: Code Injection
9 Date: September 24, 2014
10 Bugs: #523592
11 ID: 201409-09
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A parsing flaw related to functions and environments in Bash could
19 allow attackers to inject code.
20
21 Background
22 ==========
23
24 Bash is the standard GNU Bourne Again SHell.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 app-shells/bash < 4.2_p48 *>= 3.1_p18
33 *>= 3.2_p52
34 *>= 4.0_p39
35 *>= 4.1_p12
36 >= 4.2_p48
37
38 Description
39 ===========
40
41 Stephane Chazelas reported that Bash incorrectly handles function
42 definitions, allowing attackers to inject arbitrary code.
43
44 Impact
45 ======
46
47 A remote attacker could exploit this vulnerability to execute arbitrary
48 commands even in restricted environments.
49
50 Workaround
51 ==========
52
53 There is no known workaround at this time.
54
55 Resolution
56 ==========
57
58 All Bash 3.1 users should upgrade to the latest version:
59
60 # emerge --sync
61 # emerge --ask --oneshot --verbose ">=app-shells/bash-3.1_p18"
62
63 All Bash 3.2 users should upgrade to the latest version:
64
65 # emerge --sync
66 # emerge --ask --oneshot --verbose ">=app-shells/bash-3.2_p52"
67
68 All Bash 4.0 users should upgrade to the latest version:
69
70 # emerge --sync
71 # emerge --ask --oneshot --verbose ">=app-shells/bash-4.0_p39"
72
73 All Bash 4.1 users should upgrade to the latest version:
74
75 # emerge --sync
76 # emerge --ask --oneshot --verbose ">=app-shells/bash-4.1_p12"
77
78 All Bash 4.2 users should upgrade to the latest version:
79
80 # emerge --sync
81 # emerge --ask --oneshot --verbose ">=app-shells/bash-4.2_p48"
82
83 References
84 ==========
85
86 [ 1 ] CVE-2014-6271
87 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6271
88
89 Availability
90 ============
91
92 This GLSA and any updates to it are available for viewing at
93 the Gentoo Security Website:
94
95 http://security.gentoo.org/glsa/glsa-201409-09.xml
96
97 Concerns?
98 =========
99
100 Security is a primary focus of Gentoo Linux and ensuring the
101 confidentiality and security of our users' machines is of utmost
102 importance to us. Any security concerns should be addressed to
103 security@g.o or alternatively, you may file a bug at
104 https://bugs.gentoo.org.
105
106 License
107 =======
108
109 Copyright 2014 Gentoo Foundation, Inc; referenced text
110 belongs to its owner(s).
111
112 The contents of this document are licensed under the
113 Creative Commons - Attribution / Share Alike license.
114
115 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature