Hide Forgot
A security flaw was found in bash, which could be exploited remotely via applications which parse untrusted user scripts via bash. This flaw is different from CVE-2014-6277, CVE-2014-7169 and CVE-2014-7186.
This issue is mentioned publicly in Michal Zalewski's blog post: http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html It does not provide any details of the issue other than describing it as: ... I also bumped in the sixth and most severe issue so far, essentially permitting very simple and straightforward remote code execution (CVE-2014-6278) on the systems that are patched against the first bug. It's a "put your commands here" type of a bug similar to the original report. I will post additional details in a couple of days to give people enough time to upgrade. However, the bash updates for Red Hat Enterprise Linux released via RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312 include a function name mangling patch as described in bug 1146319 comment 51. It prevents exploitation of this issue by making bash only use environment variables with specific names (currently BASH_FUNC_*()) to define functions from its environment. This change blocks currently known exploitation vectors and is also recommended by Michal Zalewski, the original reporter of this issue. Links to errata that introduced the function name mangling patch: https://rhn.redhat.com/errata/RHSA-2014-1306.html https://rhn.redhat.com/errata/RHSA-2014-1311.html https://rhn.redhat.com/errata/RHSA-2014-1312.html Knowledge base article for the "Shellshock" vulnerability, that also explains the function name mangling change in the "How does this impact systems" section: https://access.redhat.com/articles/1200223 This bug will be updated with further details of this particular issue once they are made public.
*** Bug 1148661 has been marked as a duplicate of this bug. ***
Further details: http://seclists.org/fulldisclosure/2014/Oct/9 http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html
Another user experienced a similar problem: This was caused by attempting Exploit 7 (CVE-2014-6277) listed on shellshocker.net: bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable reporter: libreport-2.2.3 backtrace_rating: 4 cmdline: bash -c 'f() { x() { _;}; x() { _;} <<a; }' crash_function: strlen executable: /usr/bin/bash kernel: 3.16.3-200.fc20.x86_64 package: bash-4.2.48-2.fc20 reason: bash killed by SIGSEGV runlevel: N 5 type: CCpp uid: 1000
Created attachment 944106 [details] File: backtrace
Another user experienced a similar problem: Running bash check script at https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck reporter: libreport-2.2.3 backtrace_rating: 4 cmdline: /usr/bin/bash -c 'f(){ x(){ _;};x(){ _;}<<a;}' crash_function: strlen executable: /usr/bin/bash kernel: 3.16.3-200.fc20.i686 package: bash-4.2.48-2.fc20 reason: bash killed by SIGSEGV runlevel: N 5 type: CCpp uid: 1000
We can reproduce this parser bug. But we treat this as a regular bug, not a security bug, because of the fixes mentioned in comment #2.
This parser bug was corrected upstream in bash 4.3p30, 4.2p53, 4.1p17, 4.0p44, 3.2p57, 3.1p23, 3.0p22 and 2.05b p13. http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-030
Statement: Red Hat no longer considers this bug to be a security issue. The change introduced in bash errata RHSA-2014:1306, RHSA-2014:1311 and RHSA-2014:1312 removed the exposure of the bash parser to untrusted input, mitigating this problem to a bug without security impact.