This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: cygwin bash and Shellshock / CVE-2014-6271 & CVE-2014-7169


On 09/26/2014 01:33 PM, Richard DeFuria wrote:
> Hello,
> 
> I downloaded the latest setup and installed the latest packages on my Win8.1
> x64 box.
> 
> It seems as though my cygwin bash shell has been patched against
> CVE-2014-6271 as per:
> 	$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> 	bash: warning: x: ignoring function definition attempt
> 	bash: error importing function definition for `x'
> 	this is a test
> 
> However, it is still susceptible to CVE-2014-7169 as per:
> 	$ env X='() { (a)=>\' sh -c "echo date"; cat echo
> 	sh: X: line 1: syntax error near unexpected token `='
> 	sh: X: line 1: `'
> 	sh: error importing function definition for `X'
> 	Fri, Sep 26, 2014  3:23:15 PM
> 
> That is, the 'original' Shellshock vulnerability is fixed, but not the 'new'
> Shellshock vulnerability.
> 
> Is this correct?

Correct.  Patience please; I'm still in the middle of testing my
4.1.13-6 build, but it WILL be out today, as I already promised:
https://cygwin.com/ml/cygwin/2014-09/msg00400.html

Furthermore, while there are already known exploits in the wild for
CVE-2014-6271, we have not yet seen as much effort to exploit
CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187; meanwhile, these latter
three are a lot less damaging than the first in terms of severity.
Please read
https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about-the-shellshock-bash-flaws/;
my delay in patching Cygwin is for the same reason Red Hat delayed in
the second half of patching their products - I want to make sure that
the fixed version on bash will be immune to ALL parser bugs (whereas the
upstream patch 4.1.13 only patched CVE-2014-7169, my build will solve
all three CVE).  If upstream later releases 4.1.14, you can be assured
that I will once again rebuild bash with that fix.

By the way, I have NOT yet seen anyone trying to exploit CVE-2014-7186;
but you can do a fairly easy denial of service, or feasibly cause a
heap-smashing attack for arbitrary code execution, merely by nesting
enough heredocs into a single function definition, on a version of bash
that uses only the upstream patches (the flaw that upstream has is that
it even parses normal environment variables as functions in the first
place); the fix that I'm applying, as a copy from Red Hat, moves
functions into a different namespace so that normal environment
variables CANNOT be parsed as functions, and thus bugs in the parser
(which may still well exist, as evidenced by CVE-2014-7186) at least
won't be exploitable by remote attackers.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]