Bug 1146804 (CVE-2014-7187) - CVE-2014-7187 bash: off-by-one error in deeply nested flow control constructs
Summary: CVE-2014-7187 bash: off-by-one error in deeply nested flow control constructs
Status: CLOSED ERRATA
Alias: CVE-2014-7187
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20140926,repor...
Keywords: Security
Depends On:
Blocks: 1141602
TreeView+ depends on / blocked
 
Reported: 2014-09-26 06:26 UTC by Wade Mealing
Modified: 2014-10-22 05:23 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-22 05:23:21 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1354 normal SHIPPED_LIVE Critical: rhev-hypervisor6 security update 2014-10-02 22:40:05 UTC

Description Wade Mealing 2014-09-26 06:26:31 UTC
IssueDescription:

An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash.

Comment 1 Florian Weimer 2014-09-26 07:27:00 UTC
The concrete .bss segment layout generated by GCC and the linker only allows overwriting a variable whose contents is already controlled by the attacker.  This has no security impact on the bash packages shipped in Red Hat Enterprise Linux.

Comment 2 Martin Prpič 2014-09-26 15:52:40 UTC
Acknowledgements:

This issue was discovered by Florian Weimer of Red Hat Product Security.

Comment 3 Tomas Hoger 2014-09-30 07:07:56 UTC
Patch for this and the CVE-2014-7186 issue is attached in bug 1146791 comment 3 as attachment 942613 [details].

Comment 4 Tomas Hoger 2014-09-30 07:47:36 UTC
Even though this issue has no security impact on the bash packages in Red Hat Enterprise Linux (see comment 1 above for details), a patch for this issue was included in the updated packages released via RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312:

https://rhn.redhat.com/errata/RHSA-2014-1306.html
https://rhn.redhat.com/errata/RHSA-2014-1311.html
https://rhn.redhat.com/errata/RHSA-2014-1312.html

Statement:

Red Hat Product Security does not consider this bug to have any security impact on the bash packages shipped in Red Hat Enterprise Linux. A fix for this issue was applied as a hardening in RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312.

Comment 5 Gerrit Slomma 2014-09-30 08:24:20 UTC
Is this patched via RHSA-2014:1293 in Red Hat Enterprise Linux 5?

Comment 6 Tomas Hoger 2014-09-30 08:35:30 UTC
Comment 4 above already answers your question.

Comment 7 Gerrit Slomma 2014-09-30 09:36:15 UTC
Okay, so it is not fixed in RHSA-2014:1293, but in RHSA-2014:1306 - even though in https://access.redhat.com/security/cve/CVE-2014-7187 nothing is specified as Errata.

Comment 8 Maurice Smulders 2014-10-01 15:32:56 UTC
The upstream Bash43-028 patch is broken. It doesn't apply on top of bash 4.3.27

Comment 11 errata-xmlrpc 2014-10-02 18:44:06 UTC
This issue has been addressed in the following products:

  RHEV Manager version 3.4

Via RHSA-2014:1354 https://rhn.redhat.com/errata/RHSA-2014-1354.html

Comment 12 Jayesh 2014-10-07 07:51:43 UTC
One of the public POC for testing this vulnerability is:

(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"

The above POC was reporting vulnerable before patch and does not show vulnerable after patch.

I understand that the off-by-one error is not exploitable (after the initial patch) and is not a security issue, but since there is a patch for this issue I would like to know if the latest patch for the off-by-one error is broken or not.

For example, when I change the double-quote used in above POC to single-quote for the for loop as below,

(for x in {1..200} ; do echo 'for x$x in ; do :'; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"

... it still reports vulnerable on a patched system executing the command.

Is it because the patch is broken or the POC is not reliable?

Comment 13 Florian Weimer 2014-10-07 08:16:01 UTC
(In reply to Jayesh from comment #12)
> For example, when I change the double-quote used in above POC to
> single-quote for the for loop as below,
> 
> (for x in {1..200} ; do echo 'for x$x in ; do :'; done; for x in {1..200} ;
> do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"
> 
> ... it still reports vulnerable on a patched system executing the command.

Sorry, you really can expect that shell scripts to work after you make some random changes.  With the single quotes, an invalid shell script is generated, which will fail execution with any version of bash (and many other shell implementations).  So this test is invalid (or at least, it does not test what you think it does).


Note You need to log in before you can comment on or make changes to this bug.