IssueDescription: An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash.
The concrete .bss segment layout generated by GCC and the linker only allows overwriting a variable whose contents is already controlled by the attacker. This has no security impact on the bash packages shipped in Red Hat Enterprise Linux.
Acknowledgements: This issue was discovered by Florian Weimer of Red Hat Product Security.
Patch for this and the CVE-2014-7186 issue is attached in bug 1146791 comment 3 as attachment 942613 [details].
Even though this issue has no security impact on the bash packages in Red Hat Enterprise Linux (see comment 1 above for details), a patch for this issue was included in the updated packages released via RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312: https://rhn.redhat.com/errata/RHSA-2014-1306.html https://rhn.redhat.com/errata/RHSA-2014-1311.html https://rhn.redhat.com/errata/RHSA-2014-1312.html Statement: Red Hat Product Security does not consider this bug to have any security impact on the bash packages shipped in Red Hat Enterprise Linux. A fix for this issue was applied as a hardening in RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312.
Is this patched via RHSA-2014:1293 in Red Hat Enterprise Linux 5?
Comment 4 above already answers your question.
Okay, so it is not fixed in RHSA-2014:1293, but in RHSA-2014:1306 - even though in https://access.redhat.com/security/cve/CVE-2014-7187 nothing is specified as Errata.
The upstream Bash43-028 patch is broken. It doesn't apply on top of bash 4.3.27
This issue has been addressed in the following products: RHEV Manager version 3.4 Via RHSA-2014:1354 https://rhn.redhat.com/errata/RHSA-2014-1354.html
One of the public POC for testing this vulnerability is: (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno" The above POC was reporting vulnerable before patch and does not show vulnerable after patch. I understand that the off-by-one error is not exploitable (after the initial patch) and is not a security issue, but since there is a patch for this issue I would like to know if the latest patch for the off-by-one error is broken or not. For example, when I change the double-quote used in above POC to single-quote for the for loop as below, (for x in {1..200} ; do echo 'for x$x in ; do :'; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno" ... it still reports vulnerable on a patched system executing the command. Is it because the patch is broken or the POC is not reliable?
(In reply to Jayesh from comment #12) > For example, when I change the double-quote used in above POC to > single-quote for the for loop as below, > > (for x in {1..200} ; do echo 'for x$x in ; do :'; done; for x in {1..200} ; > do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno" > > ... it still reports vulnerable on a patched system executing the command. Sorry, you really can expect that shell scripts to work after you make some random changes. With the single quotes, an invalid shell script is generated, which will fail execution with any version of bash (and many other shell implementations). So this test is invalid (or at least, it does not test what you think it does).