bash: specially-crafted environment variables can be used to inject shell commands

Bug #1373965 reported by Pavel Boldin
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Committed
Critical
Pavel Boldin
5.0.x
In Progress
Critical
Pavel Boldin
5.1.x
Fix Released
Critical
Pavel Boldin
6.0.x
Fix Committed
Critical
Pavel Boldin

Bug Description

A flaw was found in the bash functionality that evaluates specially formatted environment variables passed to it from another environment.
An attacker could use this feature to override or bypass restrictions to the environment to execute shell commands before restrictions have been applied. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

Source: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6271

Because no bash-based CGIs are used in MOS distribution it is decided to wait until this bug will be fixed in upstream distributions.

This ticket is to reflect the bug status.

Tags: mos-linux cve
tags: added: mos-linux
Changed in mos:
milestone: none → 6.0
importance: High → Medium
status: New → Confirmed
assignee: nobody → Pavel Boldin (pboldin)
importance: Medium → High
Revision history for this message
Miroslav Anashkin (manashkin) wrote :

We need this fix for already installed environments as well.
Our customers already interesting for this fix.
Packages from 6.0 branch should be suitable, but we need these packages before 6.0 release.

Revision history for this message
Aleksander Mogylchenko (amogylchenko) wrote :

The original fix for the problem was considered incomplete, so the new CVE was assigned:
CVE-2014-7169

summary: - CVE-2014-6271: bash: specially-crafted environment variables can be used
- to inject shell commands
+ bash: specially-crafted environment variables can be used to inject
+ shell commands
Revision history for this message
Pavel Boldin (pboldin) wrote :

The fix for CVE-2014-6271 is incomplete and still allows to (at least) overwrite files. The issue (with lower severity) was re-opened as CVE-2014-7169.

From RedHat: https://access.redhat.com/articles/1200223

Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working on patches in conjunction with the upstream developers as a critical priority. For details on a workaround, please see the FAQ below.

Red Hat advises customers to upgrade to the version of Bash which contains the fix for CVE-2014-6271, and not wait for the patch which fixes CVE-2014-7169. CVE-2014-7169 is a less severe issue and patches for it are being worked on.

Revision history for this message
Miroslav Anashkin (manashkin) wrote :

Pavel, please make the new Bash package version higher than that one existing in our repositories.

Revision history for this message
Pavel Boldin (pboldin) wrote :

Further vulnerabilities have been discovered: https://github.com/hannob/bashcheck

Revision history for this message
OSCI Robot (oscirobot) wrote :

Package bash has been built from changeset: http://gerrit.mirantis.com/29678
RPM Repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.1-stable-29678/centos
You can build an ISO with this package:
make iso EXTRA_RPM_REPOS="osci-testing,http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.1-stable-29678/centos"

Revision history for this message
OSCI Robot (oscirobot) wrote :

Package bash has been built from changeset: http://gerrit.mirantis.com/29679
DEB Repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.1-stable-29679/ubuntu
You can build an ISO with this package:
make iso EXTRA_DEB_REPOS="http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.1-stable-29679/ubuntu /"

Revision history for this message
OSCI Robot (oscirobot) wrote :

Package bash has been built from changeset: http://gerrit.mirantis.com/29678
RPM Repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.1-stable-29678/centos
You can build an ISO with this package:
make iso EXTRA_RPM_REPOS="osci-testing,http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.1-stable-29678/centos"

Revision history for this message
Miroslav Anashkin (manashkin) wrote :

Please sync update Bash packages to our public repositories
http://mirror.fuel-infra.org/fwm/

Revision history for this message
OSCI Robot (oscirobot) wrote :

Package bash has been built from changeset: http://gerrit.mirantis.com/29679
DEB Repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.1-stable/ubuntu
You can build an ISO with this package:
make iso EXTRA_DEB_REPOS="http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.1-stable/ubuntu /"

Revision history for this message
OSCI Robot (oscirobot) wrote :

Package bash has been built from changeset: http://gerrit.mirantis.com/29678
RPM Repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.1-stable/centos
You can build an ISO with this package:
make iso EXTRA_RPM_REPOS="osci-testing,http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.1-stable/centos"

Revision history for this message
Pavel Boldin (pboldin) wrote :

The nightly build of Fuel ISO version 5.1.1 has been tested and proved to have an updated bash packages for both Ubuntu and CentOS.

The nightly build of Fuel ISO 6.0 is still to be tested.

tags: added: cve
Revision history for this message
Dmitry Borodaenko (angdraug) wrote :

Fixed packages are already present in 5.1.1 mirrors, marking as In Progress. Why is it not yet in 6.0 mirrors?

Revision history for this message
Pavel Boldin (pboldin) wrote :

It was decided that the OSCI team would unfreeze the mirrors and update will get to MOS variants from the upstream repositories.

Is it so?

Revision history for this message
Mykhaylo Slobodyan (mykhaylo-slobodyan) wrote :

Verified on 5.1.1 ISO #18

Testing /bin/bash ...
Bash version 4.1.2(1)-release

Variable function parser pre/suffixed [(), redhat], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)

VERSION:
  feature_groups:
    - mirantis
  production: "docker"
  release: "5.1.1"
  api: "1.0"
  build_number: "18"
  build_id: "2014-11-17_12-14-23"
  astute_sha: "702af3db6f5bca92525bc8322d7d5d7675ec857e"
  fuellib_sha: "0d3909b9a291880af28dbe48b9c7d25215aa98ea"
  ostf_sha: "64cb59c681658a7a55cc2c09d079072a41beb346"
  nailgun_sha: "2fcab95dc43a248ba867065e96ab764ee73882d1"
  fuelmain_sha: "ff22ca819e6eb7c63b6d7978fdd80ef9b84457d9"

Revision history for this message
Pavel Boldin (pboldin) wrote :

MOS 6.0 still have vulnerable versions. Does this mean that the mirrors were not thawed?

Revision history for this message
Pavel Boldin (pboldin) wrote :

MOS 6.0 Ubuntu mirror is updated with a patched version:

bash (4.2-2ubuntu2.6) precise-security; urgency=medium

  * SECURITY UPDATE: incorrect function definition parsing with
    here-document delimited by end-of-file
    - debian/patches/CVE-2014-6277.diff: properly handle closing delimiter
      in bash/copy_cmd.c, bash/make_cmd.c.
    - CVE-2014-6277
  * SECURITY UPDATE: incorrect function definition parsing via nested
    command substitutions
    - debian/patches/CVE-2014-6278.diff: properly handle certain parsing
      attempts in bash/builtins/evalstring.c, bash/parse.y, bash/shell.h.
    - CVE-2014-6278
  * Updated patches with official upstream versions:
    - debian/patches/CVE-2014-6271.diff
    - debian/patches/CVE-2014-7169.diff
    - debian/patches/variables-affix.diff
    - debian/patches/CVE-2014-718x.diff

CentOS is still vulnerable.

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package bash has been built for project packages/centos6/bash
Package version == 4.1.2, package release == 15.3

Changeset: https://review.fuel-infra.org/1196
project: packages/centos6/bash
branch: master
author: Pavel Boldin
committer: Pavel Boldin
subject: Fixing ShellShock vulnerabilities (updating to upstream) (Partial-Bug: #1373965)
status: patchset-created

Files placed on repository:

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-master-1196/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package bash has been built for project packages/centos6/bash
Package version == 4.1.2, package release == 15.3

Changeset: https://review.fuel-infra.org/1197
project: packages/centos6/bash
branch: 6.0
author: Pavel Boldin
committer: Pavel Boldin
subject: Fixing ShellShock vulnerabilities (updating to upstream) (Partial-Bug: #1373965)
status: patchset-created

Files placed on repository:
bash-4.1.2-15.3.mira1.x86_64.rpm
bash-debuginfo-4.1.2-15.3.mira1.x86_64.rpm
bash-doc-4.1.2-15.3.mira1.x86_64.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0-stable-1197/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package bash has been built for project packages/centos6/bash
Package version == 4.1.2, package release == 15.3

Changeset: https://review.fuel-infra.org/1197
project: packages/centos6/bash
branch: 6.0
author: Pavel Boldin
committer: Pavel Boldin
subject: Fixing ShellShock vulnerabilities (updating to upstream) (Partial-Bug: #1373965)
status: change-merged

Files placed on repository:
bash-4.1.2-15.3.mira1.x86_64.rpm
bash-debuginfo-4.1.2-15.3.mira1.x86_64.rpm
bash-doc-4.1.2-15.3.mira1.x86_64.rpm

Changeset merged. Package placed on primary repository
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0-stable/centos

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.