Gentoo Archives: gentoo-user

From: Walter Dnes <waltdnes@××××××××.org>
To: Gentoo Users List <gentoo-user@l.g.o>
Subject: [gentoo-user] [Security] Update bash *NOW*
Date: Thu, 25 Sep 2014 01:59:02
Message-Id: 20140925015844.GA21952@waltdnes.org
1 Slashdot article http://linux.slashdot.org/story/14/09/24/1638207/remote-exploit-vulnerability-found-in-bash
2
3 Story at http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html
4
5 CVE ID CVE-2014-6271 at http://seclists.org/oss-sec/2014/q3/650
6
7 Summary... bash scripts, CGI, perl via "system()", and various other
8 "commands" invoke a bash shell at times, passing environmental variables
9 in the process. Problem is that an "environmental variable" ***CAN
10 CONTAIN A FUNCTION DEFINITION, AND EXECUTE IT WHILST SPAWNING A NEW
11 SHELL***. E.g. execute the command...
12
13 env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
14
15 ...and you get the following...
16
17 vulnerable
18 this is a test
19
20 Replace...
21
22 x='() { :;}; echo vulnerable'
23
24 ...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48
25 has been pushed to Gentoo stable. The same "env" command results in...
26
27 bash: warning: x: ignoring function definition attempt
28 bash: error importing function definition for `x'
29 this is a test
30
31
32 --
33 Walter Dnes <waltdnes@××××××××.org>
34 I don't run "desktop environments"; I run useful applications

Replies

Subject Author
Re: [gentoo-user] [Security] Update bash *NOW* Kerin Millar <kerframil@×××××××××××.uk>