bash env bug on legacy centos 4.8 system

[_ck_]

Oh thank goodness, with #21 it finally fully passed bashcheck

Code: Select all

GNU bash, version 3.00.21(1)-release (i686-redhat-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)

[rsingh]

Hi Lewis,
You are a star. I have another system and thats running -
# cat /etc/redhat-release
Red Hat Enterprise Linux ES release 4 (Nahant Update 3)

# bash --version
GNU bash, version 3.00.15(1)-release (i386-redhat-linux-gnu)

Is it safe to use the rpm (bash-3.0-27.5.i386.rpm) from your ftp server for the above release?

Many thanks,
RS

[LewisR]

Hi Lewis,
You are a star. I have another system and thats running -
# cat /etc/redhat-release
Red Hat Enterprise Linux ES release 4 (Nahant Update 3)

# bash --version
GNU bash, version 3.00.15(1)-release (i386-redhat-linux-gnu)

Is it safe to use the rpm (bash-3.0-27.5.i386.rpm) from your ftp server for the above release?

You're too kind.

My best guess is that my binary packages should be fine, but I'd prefer to have someone more familiar with the differences weigh in on this (I'm a Novell consultant, so I spend most of my time with SuSE; thus my knowledge of the finer points of CentOS vs RHEL has significant gaps). Sorry I don't have a more definitive answer for you!

[_ck_]

and #22 has appeared - wow

http://ftp.gnu.org/pub/gnu/bash/bash-3. ... bash30-022

[LewisR]

Ugh...

My cross-compiling setup still isn't up to par, yet, either. No worries; I'll cobble the next round together and get them posted ASAP.

Thanks for the heads-up!

[LewisR]

Fresh binaries available on my ftp server for:
4.8 (includes patch 22) and
3.9 (includes patch 13)

bashcheck has been updated, as well.

The builds for 3.9 (bash 2.05b) throw an error in a different shellshock test, so I would advise doing some more testing on those to be certain it's not just a quirk of the script (bashcheck reports the vulnerability for CVE-2014-7187 is "unexploitable," so I suspect the issue exists but is fairly benign - again, we are patching software which hadn't seen a patch to this bash since 2003 or so; feels like Y2K all over again).

These are still built with the older gcc builds (3.6.6 for the CentOS 4.8 ones and 3.2.3 for the CentOS 3.9 ones).

Hope they continue to be of use.

Cheers

[Rip]

LewisR,

Created an account so I could express my gratitude for the rpm's you created/provided.

Many thanks !

Cheers
Rip.

[LewisR]

LewisR,

Created an account so I could express my gratitude for the rpm's you created/provided.

Many thanks !

You're very welcome, Rip!

Cheers to you, too.

[_ck_]

Looks like we might have to manually update wget on 4.x too

[TrevorH]

How are those migration plans coming along...