Bug 1147414 (CVE-2014-6278)
| Summary: | CVE-2014-6278 bash: incorrect parsing of function definitions with nested command substitutions | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | |||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | unspecified | CC: | admiller, alick9188, brandono, buffer.g.overflow, carnil, collura, dsulliva, eblake, erich, fweimer, gagriogi, hannsj_uhl, hayato.suzuki, jentrena, maxpatera, me, mmcallis, morten, nkim, ooprala, pete.philips, raina, relrod, rfreire, rrajaram, rvandolson, security-response-team, skito, stuart, vijay.majagaonkar, vkaigoro, yoguma | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-10-22 04:40:49 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1141602 | ||||||
| Attachments: |
|
||||||
|
Description
Huzaifa S. Sidhpurwala
2014-09-29 08:40:40 UTC
This issue is mentioned publicly in Michal Zalewski's blog post: http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html It does not provide any details of the issue other than describing it as: ... I also bumped in the sixth and most severe issue so far, essentially permitting very simple and straightforward remote code execution (CVE-2014-6278) on the systems that are patched against the first bug. It's a "put your commands here" type of a bug similar to the original report. I will post additional details in a couple of days to give people enough time to upgrade. However, the bash updates for Red Hat Enterprise Linux released via RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312 include a function name mangling patch as described in bug 1146319 comment 51. It prevents exploitation of this issue by making bash only use environment variables with specific names (currently BASH_FUNC_*()) to define functions from its environment. This change blocks currently known exploitation vectors and is also recommended by Michal Zalewski, the original reporter of this issue. Links to errata that introduced the function name mangling patch: https://rhn.redhat.com/errata/RHSA-2014-1306.html https://rhn.redhat.com/errata/RHSA-2014-1311.html https://rhn.redhat.com/errata/RHSA-2014-1312.html Knowledge base article for the "Shellshock" vulnerability, that also explains the function name mangling change in the "How does this impact systems" section: https://access.redhat.com/articles/1200223 This bug will be updated with further details of this particular issue once they are made public. *** Bug 1148661 has been marked as a duplicate of this bug. *** Further details: http://seclists.org/fulldisclosure/2014/Oct/9 http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html Another user experienced a similar problem: This was caused by attempting Exploit 7 (CVE-2014-6277) listed on shellshocker.net: bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable reporter: libreport-2.2.3 backtrace_rating: 4 cmdline: bash -c 'f() { x() { _;}; x() { _;} <<a; }' crash_function: strlen executable: /usr/bin/bash kernel: 3.16.3-200.fc20.x86_64 package: bash-4.2.48-2.fc20 reason: bash killed by SIGSEGV runlevel: N 5 type: CCpp uid: 1000 Created attachment 944106 [details]
File: backtrace
Another user experienced a similar problem: Running bash check script at https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck reporter: libreport-2.2.3 backtrace_rating: 4 cmdline: /usr/bin/bash -c 'f(){ x(){ _;};x(){ _;}<<a;}' crash_function: strlen executable: /usr/bin/bash kernel: 3.16.3-200.fc20.i686 package: bash-4.2.48-2.fc20 reason: bash killed by SIGSEGV runlevel: N 5 type: CCpp uid: 1000 We can reproduce this parser bug. But we treat this as a regular bug, not a security bug, because of the fixes mentioned in comment #2. This parser bug was corrected upstream in bash 4.3p30, 4.2p53, 4.1p17, 4.0p44, 3.2p57, 3.1p23, 3.0p22 and 2.05b p13. http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-030 Statement: Red Hat no longer considers this bug to be a security issue. The change introduced in bash errata RHSA-2014:1306, RHSA-2014:1311 and RHSA-2014:1312 removed the exposure of the bash parser to untrusted input, mitigating this problem to a bug without security impact. |