bash env bug on legacy centos 4.8 system

[TrevorH]

I have no idea how much an el4 EUS is but I bet it's not cheap. OTOH, the amount of effort being expended on one bug here is quite considerable and there appears to be not much thought given as to how many of the other 19 pages of bugs released for el5 since Feb 2012 here are also applicable to el4 and are missing.

You're quite welcome to continue to discuss this here. I'm just pointing out that you are almost quite literally flogging a dead horse! I'm pretty sure that you'd all be better expending the same amount of effort in migrating to a supported release.

[_ck_]

Oh I completely get running centos4 is a very bad idea. But in some cases there is no other option without throwing a lot of time/money at it.

In theory the one remaining 4.9 server I am maintaining will be retired next year.
For now I keep very good backups, and any new server I am setting up gets centos7 because I never want to run into this update wall again in my lifetime.

Looking at those "19 pages", if you trim it to security and only important/critical severity, then eliminate the bulk of PHP and HTTPD (apache) and Firefox (which are either updated independently or not running) it is not an overwhelming list.

Some do look a bit concerning, though many look like escalation of existing access.

However this bash issue is an instantaneous script-kiddie exploit without any other presence on the server,
and it is too easy to fix thanks to the published patches - so why ignore it?

[_ck_]

Wow patch 20, where did that come from.

http://ftp.gnu.org/pub/gnu/bash/bash-3. ... bash30-020

Neverending. And I don't see other updates for CentOS5/6/7 - strange.

[TrevorH]

Florian Weimer who's listed as the author on that patch is a Redhat employee and that patch was included in the second round of bash patches for el5/6 and 7.

[_ck_]

So bashcheck has been updated

https://github.com/hannob/bashcheck/blo ... /bashcheck

and while patch #20 solves the segfault, I do not understand why I this still fails:

Vulnerable to CVE-2014-6277 (lcamtuf bug #1) [no patch]

I wonder if one of the patches is not finding what it needs, strange.

Oh it is still segfaulting, it is just masked

Code: Select all

     bash -c "f(){ x(){ _;};x(){ _;}<<a;}"

     Segmentation fault (core dumped)

Segfault is far from ideal but at least it is not executing the code in the end.

Ah, just saw a notice there are two more patches pending. Maybe then.

[LewisR]

Wow patch 20, where did that come from.

http://ftp.gnu.org/pub/gnu/bash/bash-3. ... bash30-020

Neverending. And I don't see other updates for CentOS5/6/7 - strange.

Wow... Thanks for keeping up with these patch notifications.

Okay, building & testing, now. I'll have fresh binaries for everyone shortly.

Also, FYI, I have been fighting for the past two evenings to get a working CentOS 7 x64 VM in VirtualBox with the cross-compiler stuff necessary to take a stab at building these using gcc 4.8 (with -fsanitize=address capability) and hopefully be able to generate both 32 & 64-bit binaries.

[LewisR]

Fresh binaries available on my ftp server .

These are still built with the older gcc, so the test for CVE-2014-7187 is still inconclusive.

Cheers

[dunedinit]

Fresh binaries available on my ftp server .

These are still built with the older gcc, so the test for CVE-2014-7187 is still inconclusive.

Cheers

Thanks Lewis, this helped loads!

[LewisR]

Glad to be of service.

Patch 21 just landed last evening. I'll build shortly and will follow up.

[LewisR]

Fresh binaries available on my ftp server .

These are still built with the older gcc, so the test for CVE-2014-7187 is still inconclusive. However, CVE-2014-6277 now shows as not vulnerable (when testing from bashcheck, at least).

I'm still trying to get a useful build system for these set up under CentOS 7 (which was a bear to install under VBox 4.3, if I do say so myself). I'm almost halfway there (I think), so we'll see how it goes.

Good luck, everyone.