[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE-2014-7169 vs CVE-2014-6271
|
From: |
Chet Ramey |
|
Subject: |
Re: CVE-2014-7169 vs CVE-2014-6271 |
|
Date: |
Sat, 27 Sep 2014 19:03:05 -0400 |
|
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 |
On 9/26/14, 12:58 PM, Alan Wild wrote:
> I've been searching for some clarification on these two "fixes" and I'm
> utterly confused. I've been lead to believe RedHat's first patch (6271) is
> based on code from Chet that just causes bash to reject functions where
> code appears outside of the function body.
>
> However, this patch was labeled as "insufficient" and 7169 now appears to
> completely remove the ability to receive function definitions from the
> environment.
There is a second problem (caused by a different issue) that happens to be
reachable via the same attack vector. The Red Hat patch changes the
acceptable name space for function exports; it doesn't remove the ability
to export shell functions. Here's something I wrote on the issue for
another mailing list:
Red Hat got impatient and is a day or two ahead of me. The patch I posted
yesterday solves the underlying issue that CVE-2014-7169 exploits (leaving
a stray character in a lookahead buffer). The Red Hat patch cuts off the
attack vector by changing the restrictions on the namespace of functions
the shell will import from the environment. You need both: if someone
finds a vector that allows them to remotely specify arbitrary environment
variable names, it's easy enough to match the namespace that bash will be
using, so you'd like to fix the underlying vulnerability rather than
simply blocking the way to it.
I understand Red Hat's impatience: they have users with contracts to
support, and they only have one version of bash to modify (as far as I
know, they only support bash-4.2, but they may have bash-4.1 as well).
They were able to produce a patch quickly that blocked existing attacks
and they have a pipeline to distribute it. I haven't looked at their
patch, so I don't know whether it includes the fix I distributed in
bash43-026.
I have patches that I will package up and distribute later today that are
essentially identical to Red Hat's and change the allowable function import
namespace. It takes me a little while longer: I want to fix the root
cause; I have to produce, at least in these cases, patches for many more
version of bash (8); and I have some backwards compatibility concerns that
Red Hat has probably deemed less important than getting their fix to their
customers.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU chet@case.edu http://cnswww.cns.cwru.edu/~chet/