This is the mail archive of the cygwin mailing list for the Cygwin project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
On 09/30/2014 07:42 PM, Andy wrote: > Eric Blake (cygwin <ebb9 <at> byu.net> writes: >> This is a minor rebuild which picks up an upstream patch to fix >> CVE-2014-7169 and all other ShellShock attacks (4.1.13-6 was also safe, >> but used a slightly different downstream patch that used '()' instead of >> '%%' in environment variables, and which was overly restrictive on >> importing functions whose name was not an identifier). There are still >> known parser crashers (such as CVE-2014-7186, CVE-2014-7187, and >> CVE-2014-6277) where upstream will probably issue patches soon; but >> while those issues can trigger a local crash, they cannot be exploited >> for escalation of privilege via arbitrary variable contents by this >> build. Left unpatched, a vulnerable version of bash could allow >> arbitrary code execution via specially crafted environment variables, >> and was exploitable through a number of remote services, so it is highly >> recommended that you upgrade > > I found this to be a good test site, with a comprehensive list of > exploits and explicit description of what to expect in order to decide > whether an exploit is still active: http://shellshocker.net That site is not 100% accurate. Among others, it claims that: env X=' () { }; echo hello' bash -c 'date' can output hello on vulnerable bash. That is untrue; no version of bash exists with that behavior (the shellshock behavior REQUIRES the first four bytes of a vulnerable variable to be "() {", but that example started with space). Furthermore, it claims that: bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack" proves that bash is vulnerable to shellshock. This is a half-truth. It proves that bash's parser is buggy (and cygwin's bash-4.1.14-7 STILL has that bug, because the bug is still present upstream), but you are ONLY vulnerable to ShellShock if the parser can be called by arbitrary variable contents. That is, to prove you are vulnerable, you have to test something like: env x='() { true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' bash -c : and if THAT dumps core, then you are vulnerable to shellshock. If you apply all the latest upstream bash patches, it is impossible for that sequence to dump core, because arbitrary variable assignments no longer trigger calls into the (still-buggy) parser. So please don't spread FUD. Cygwin bash is no longer vulnerable to shellshock, even if it still has parser bugs. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |