Bug 1147414 (CVE-2014-6278)

Summary: CVE-2014-6278 bash: incorrect parsing of function definitions with nested command substitutions
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: admiller, alick9188, brandono, buffer.g.overflow, carnil, collura, dsulliva, eblake, erich, fweimer, gagriogi, hannsj_uhl, hayato.suzuki, jentrena, Maxy_David, me, mmcallis, morten, nkim, ooprala, pete.philips, raina, relrod, rfreire, rrajaram, rvandolson, security-response-team, skito, stuart, vijay.majagaonkar, vkaigoro, yoguma
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-22 04:40:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1141602    
Description Flags
File: backtrace none

Description Huzaifa S. Sidhpurwala 2014-09-29 08:40:40 UTC
A security flaw was found in bash, which could be exploited remotely via applications which parse untrusted user scripts via bash. This flaw is different from CVE-2014-6277, CVE-2014-7169 and CVE-2014-7186.

Comment 1 Tomas Hoger 2014-09-29 11:32:18 UTC
This issue is mentioned publicly in Michal Zalewski's blog post:


It does not provide any details of the issue other than describing it as:

  ... I also bumped in the sixth and most severe issue so far, essentially
  permitting very simple and straightforward remote code execution
  (CVE-2014-6278) on the systems that are patched against the first bug. It's
  a "put your commands here" type of a bug similar to the original report. I
  will post additional details in a couple of days to give people enough time
  to upgrade.

However, the bash updates for Red Hat Enterprise Linux released via RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312 include a function name mangling patch as described in bug 1146319 comment 51.  It prevents exploitation of this issue by making bash only use environment variables with specific names (currently BASH_FUNC_*()) to define functions from its environment.  This change blocks currently known exploitation vectors and is also recommended by Michal Zalewski, the original reporter of this issue.

Links to errata that introduced the function name mangling patch:


Knowledge base article for the "Shellshock" vulnerability, that also explains the function name mangling change in the "How does this impact systems" section:


This bug will be updated with further details of this particular issue once they are made public.

Comment 11 Eric Blake 2014-10-02 04:28:55 UTC
*** Bug 1148661 has been marked as a duplicate of this bug. ***

Comment 15 Max 2014-10-05 21:30:25 UTC
Another user experienced a similar problem:

This was caused by attempting Exploit 7 (CVE-2014-6277) listed on shellshocker.net:
bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable

reporter:       libreport-2.2.3
backtrace_rating: 4
cmdline:        bash -c 'f() { x() { _;}; x() { _;} <<a; }'
crash_function: strlen
executable:     /usr/bin/bash
kernel:         3.16.3-200.fc20.x86_64
package:        bash-4.2.48-2.fc20
reason:         bash killed by SIGSEGV
runlevel:       N 5
type:           CCpp
uid:            1000

Comment 16 Max 2014-10-05 21:30:27 UTC
Created attachment 944106 [details]
File: backtrace

Comment 17 Stuart D Gathman 2014-10-06 16:22:18 UTC
Another user experienced a similar problem:

Running bash check script at https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck

reporter:       libreport-2.2.3
backtrace_rating: 4
cmdline:        /usr/bin/bash -c 'f(){ x(){ _;};x(){ _;}<<a;}'
crash_function: strlen
executable:     /usr/bin/bash
kernel:         3.16.3-200.fc20.i686
package:        bash-4.2.48-2.fc20
reason:         bash killed by SIGSEGV
runlevel:       N 5
type:           CCpp
uid:            1000

Comment 20 Florian Weimer 2014-10-07 21:02:12 UTC
We can reproduce this parser bug.  But we treat this as a regular bug, not a security bug, because of the fixes mentioned in comment #2.

Comment 23 Tomas Hoger 2014-10-08 20:38:41 UTC
This parser bug was corrected upstream in bash 4.3p30, 4.2p53, 4.1p17, 4.0p44, 3.2p57, 3.1p23, 3.0p22 and 2.05b p13.


Comment 25 Vincent Danen 2014-10-14 14:15:02 UTC

Red Hat no longer considers this bug to be a security issue. The change introduced in bash errata RHSA-2014:1306, RHSA-2014:1311 and RHSA-2014:1312 removed the exposure of the bash parser to untrusted input, mitigating this problem to a bug without security impact.