Bug 1146804 - (CVE-2014-7187) CVE-2014-7187 bash: off-by-one error in deeply nested flow control constructs
CVE-2014-7187 bash: off-by-one error in deeply nested flow control constructs
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140926,repor...
: Security
Depends On:
Blocks: 1141602
  Show dependency treegraph
 
Reported: 2014-09-26 02:26 EDT by Wade Mealing
Modified: 2014-10-22 01:23 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-22 01:23:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Wade Mealing 2014-09-26 02:26:31 EDT
IssueDescription:

An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash.
Comment 1 Florian Weimer 2014-09-26 03:27:00 EDT
The concrete .bss segment layout generated by GCC and the linker only allows overwriting a variable whose contents is already controlled by the attacker.  This has no security impact on the bash packages shipped in Red Hat Enterprise Linux.
Comment 2 Martin Prpič 2014-09-26 11:52:40 EDT
Acknowledgements:

This issue was discovered by Florian Weimer of Red Hat Product Security.
Comment 3 Tomas Hoger 2014-09-30 03:07:56 EDT
Patch for this and the CVE-2014-7186 issue is attached in bug 1146791 comment 3 as attachment 942613 [details].
Comment 4 Tomas Hoger 2014-09-30 03:47:36 EDT
Even though this issue has no security impact on the bash packages in Red Hat Enterprise Linux (see comment 1 above for details), a patch for this issue was included in the updated packages released via RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312:

https://rhn.redhat.com/errata/RHSA-2014-1306.html
https://rhn.redhat.com/errata/RHSA-2014-1311.html
https://rhn.redhat.com/errata/RHSA-2014-1312.html

Statement:

Red Hat Product Security does not consider this bug to have any security impact on the bash packages shipped in Red Hat Enterprise Linux. A fix for this issue was applied as a hardening in RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312.
Comment 5 Gerrit Slomma 2014-09-30 04:24:20 EDT
Is this patched via RHSA-2014:1293 in Red Hat Enterprise Linux 5?
Comment 6 Tomas Hoger 2014-09-30 04:35:30 EDT
Comment 4 above already answers your question.
Comment 7 Gerrit Slomma 2014-09-30 05:36:15 EDT
Okay, so it is not fixed in RHSA-2014:1293, but in RHSA-2014:1306 - even though in https://access.redhat.com/security/cve/CVE-2014-7187 nothing is specified as Errata.
Comment 8 Maurice Smulders 2014-10-01 11:32:56 EDT
The upstream Bash43-028 patch is broken. It doesn't apply on top of bash 4.3.27
Comment 11 errata-xmlrpc 2014-10-02 14:44:06 EDT
This issue has been addressed in the following products:

  RHEV Manager version 3.4

Via RHSA-2014:1354 https://rhn.redhat.com/errata/RHSA-2014-1354.html
Comment 12 Jayesh 2014-10-07 03:51:43 EDT
One of the public POC for testing this vulnerability is:

(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"

The above POC was reporting vulnerable before patch and does not show vulnerable after patch.

I understand that the off-by-one error is not exploitable (after the initial patch) and is not a security issue, but since there is a patch for this issue I would like to know if the latest patch for the off-by-one error is broken or not.

For example, when I change the double-quote used in above POC to single-quote for the for loop as below,

(for x in {1..200} ; do echo 'for x$x in ; do :'; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"

... it still reports vulnerable on a patched system executing the command.

Is it because the patch is broken or the POC is not reliable?
Comment 13 Florian Weimer 2014-10-07 04:16:01 EDT
(In reply to Jayesh from comment #12)
> For example, when I change the double-quote used in above POC to
> single-quote for the for loop as below,
> 
> (for x in {1..200} ; do echo 'for x$x in ; do :'; done; for x in {1..200} ;
> do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"
> 
> ... it still reports vulnerable on a patched system executing the command.

Sorry, you really can expect that shell scripts to work after you make some random changes.  With the single quotes, an invalid shell script is generated, which will fail execution with any version of bash (and many other shell implementations).  So this test is invalid (or at least, it does not test what you think it does).

Note You need to log in before you can comment on or make changes to this bug.