bash env bug on legacy centos 4.8 system

A 5 star hangout for overworked and underpaid system admins.
User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: bash env bug on legacy centos 4.8 system

Post by TrevorH » 2014/09/26 21:21:03

Just to reiterate: CentOS 4.anything is end of life. It has no support. It is an ex-product. If you still have machines running CentOS 4 then you need to be looking urgently at migrating them to a supported release. This is not new: it has been end of life for two and a half years. I am 100% certain that many of the security vulnerabilities that have been found and fixed in the last 2.5 years in CentOS 5 and CentOS 6 also apply to CentOS 4. You are running something that is insecure and you need to start planning, 2.5 years ago, how to get off it!

I'm sorry if this sounds rude. It's not meant that way but you've had 2.5 years to get off an EOL platform and onto something else.

If you really really need to run el4 and have a business case for it then you should probably justify to your management why you should buy a Redhat extended services subscription and get yourself onto the el4 Z stream which is still supported and has produced fixes for this issue.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

LewisR
Posts: 16
Joined: 2014/09/26 04:40:20
Location: New York, USA
Contact:

Re: bash env bug on legacy centos 4.8 system

Post by LewisR » 2014/09/27 00:03:43

Fresh binaries available on my ftp server .

These include bash30-018 which addresses CVE-2014-7169 .

x64 builds coming shortly. Note the updated readme in the FTP directory.

Cheers
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------

LewisR
Posts: 16
Joined: 2014/09/26 04:40:20
Location: New York, USA
Contact:

Re: bash env bug on legacy centos 4.8 system

Post by LewisR » 2014/09/27 00:35:39

Hi, Trevor... Fancy meeting you here. ;)
TrevorH wrote:Just to reiterate: CentOS 4.anything is end of life. It has no support. It is an ex-product. If you still have machines running CentOS 4 then you need to be looking urgently at migrating them to a supported release.

<snip>

If you really really need to run el4 and have a business case for it then you should probably justify to your management why you should buy a Redhat extended services subscription and get yourself onto the el4 Z stream which is still supported and has produced fixes for this issue.
I have a single app which does not seem to be happy running on anything newer. I don't need to justify expense to management, because that's my decision (I'm management). I could spend the time to migrate the application to el4 (which was a supported OS for it), but to what end? If I can keep up with critical issues like this, it's hard to justify the cost of a commercial distro for a single app which is seldom used (but works like a charm, and thus is not worth replacing) and the time and effort to migrate the OS on the box to something else, so long as the OS remains installable on modern hardware.

If I were doing this for a client, I would likely take a different position, because the client would have to pay for my support to maintain the older (unsupported) distro. For my own stuff, however, the formula is a bit different.

Cheers
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------

LewisR
Posts: 16
Joined: 2014/09/26 04:40:20
Location: New York, USA
Contact:

Re: bash env bug on legacy centos 4.8 system

Post by LewisR » 2014/09/27 01:09:43

LewisR wrote:Fresh binaries available on my ftp server .

These include bash30-018 which addresses CVE-2014-7169 .

x64 builds coming shortly. Note the updated readme in the FTP directory.

Cheers
64-bit builds are now available from my FTP server, referenced above.

Good luck!
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------

_ck_
Posts: 89
Joined: 2012/08/10 23:00:35

Re: bash env bug on legacy centos 4.8 system

Post by _ck_ » 2014/09/28 00:52:58

A third patch has now appeared, and more bug detection

http://seclists.org/oss-sec/2014/q3/693
http://www.openwall.com/lists/oss-secur ... 4/09/25/13

Currently unofficial but since they are with redhat, it will probably get put into distro over the next few days.
It is not yet ported for older bash versions:

http://seclists.org/oss-sec/2014/q3/att ... ffix.patch

Automated check script:

https://raw.githubusercontent.com/hanno ... /bashcheck

LewisR
Posts: 16
Joined: 2014/09/26 04:40:20
Location: New York, USA
Contact:

Re: bash env bug on legacy centos 4.8 system

Post by LewisR » 2014/09/28 04:59:29

_ck_ wrote:A third patch has now appeared, and more bug detection

<snip>

Automated check script:

https://raw.githubusercontent.com/hanno ... /bashcheck
Egad, what a mess...

Okay, I've built 32 and 64-bit rpms, but the automated check has me a little puzzled:

Code: Select all

Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18: 19987 Segmentation fault      bash -c "true $(printf '<<EOF %.0s' {1..79})" 2>/dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
Some guidance, here?

This post seems to suggest that

Code: Select all

# bash -c ':<<a<<b<<c<<d<<e<<f<<g<<h<<i<<j<<k<<l<<m<<n'
which triggers odd behavior (I get a segfault on both 32 & 64-bit builds), indicates vulnerability to CVE-2014-7186. However, running the multiline test:

Code: Select all

# env 'f=() { :<<a<<b<<c<<d<<e<<f<<g<<h<<i<<j<<k<<l<<m<<n
a
b
c
d
e
f
g
h
i
j
k
l
m
n
}' bash -c 'echo hi'
passes, and the post referenced above seems to imply that this is an indication of not being vulnerable to CVE-2014-7186.

The next test in the above post is:

Code: Select all

# bash -c "export f=1 g='() {'; f() { echo 2;}; export -f f; bash -c 'echo \$f \$g; f; env | grep ^f='"
which my builds pass:

Code: Select all

1 () {
2
f=1
TIA
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------

LewisR
Posts: 16
Joined: 2014/09/26 04:40:20
Location: New York, USA
Contact:

Re: bash env bug on legacy centos 4.8 system

Post by LewisR » 2014/09/28 05:33:57

Hmmm...

Okay. I figured out why I can't build with -fsanitize=address (this was apparently added in gcc 4.8, and I am building with gcc 3.4.6). So, should this be a real problem? I'm more concerned about the segfault when testing for CVE-2014-7186.
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------

_ck_
Posts: 89
Joined: 2012/08/10 23:00:35

Re: bash env bug on legacy centos 4.8 system

Post by _ck_ » 2014/09/28 10:37:19

LewisR wrote:this was apparently added in gcc 4.8, and I am building with gcc 3.4.6).
I suspect we could build the bash3.0 binary on a newer version of centos with gcc 4.8 and copy it over

I use the devtoolset copy of gcc4.8 on centos6.5 http://linux.web.cern.ch/linux/devtoolset/

but centos7 has newer gcc right in base repo

_ck_
Posts: 89
Joined: 2012/08/10 23:00:35

Re: bash env bug on legacy centos 4.8 system

Post by _ck_ » 2014/09/28 10:39:54

Okay patch 19 has now appeared for 3.0

Here we go again

http://ftp.gnu.org/pub/gnu/bash/bash-3. ... bash30-019

(it appears to be the official version of the unofficial patch)

after #19 on centos 4.9

Code: Select all

./bashcheck       
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18: 14262 Segmentation fault      (core dumped) bash -c "true $(printf '<<EOF %.0s' {1..79})" 2>/dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
So I guess I expect #20 sometime this week.

What is strange is the redir_stack bug is okay on CentOS 6.5 even before the next yum update

Code: Select all

Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
OH I see now, the segfault causes the redir test to be marked as failed.

I also do not see a .3 package sitting on the 6.5 mirrors (yet)
http://mirror.centos.org/centos/6/updat ... /Packages/

_ck_
Posts: 89
Joined: 2012/08/10 23:00:35

Re: bash env bug on legacy centos 4.8 system

Post by _ck_ » 2014/09/28 11:06:19

TrevorH wrote:If you really really need to run el4 and have a business case for it then you should probably justify to your management why you should buy a Redhat extended services subscription and get yourself onto the el4 Z stream which is still supported and has produced fixes for this issue.
Out of morbid curiosity, how much is a EL4 ELS subscription anyway?

Also, very curious if yum can switch out the centos4 and el4 binaries without hassle since they are supposed to virtually identical?

Post Reply