Bug 898604

Summary: VUL-0: bash: functions via environment hardening
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jsegitz, krahmer, meissner, mmarek, okir, ptesarik, rb03884, thomas.schulte, tyuan
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle11-sp1:59120 maint:released:sle10-sp3:59143 maint:released:sle11-sp2:59141 maint:released:sle11-sp2:59121 maint:released:oes11-sp1:59198 maint:released:sle11-sp2:59268
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: variables-affix-3.0.patch
variables-affix-4.2.patch
variables-affix-3.2.patch
variables-affix-3.1.patch

Description Marcus Meissner 2014-09-26 09:06:48 UTC 
Created attachment 608084 [details]
variables-affix-3.0.patch

via oss-sec and debian

This patch disallows passing of function macros in variables except when named
BASH_FUNC_* 

Due to the unexpected nature we shoudl include this hardening method.
Comment 1 Marcus Meissner 2014-09-26 09:07:05 UTC 
Created attachment 608085 [details]
variables-affix-4.2.patch

variables-affix-4.2.patch
Comment 2 Dr. Werner Fink 2014-09-26 10:08:32 UTC 
This patch does conflict with the patch of CVE-2014-6271!
Comment 3 Marcus Meissner 2014-09-26 11:43:54 UTC 
Created attachment 608128 [details]
variables-affix-3.2.patch

ported patch for bash 3.2 (SLE11 SP3) on top of the CVE-2014-6271 patch
Comment 4 Marcus Meissner 2014-09-26 11:47:28 UTC 
Created attachment 608129 [details]
variables-affix-3.1.patch

variables-affix-3.1.patch  based on top of CVE-2014-6721
Comment 7 Bernhard Wiedemann 2014-09-26 13:00:21 UTC 
This is an autogenerated message for OBS integration:
This bug (898604) was mentioned in
https://build.opensuse.org/request/show/252461 13.1 / bash
https://build.opensuse.org/request/show/252465 12.3 / bash
Comment 8 Marcus Meissner 2014-09-27 11:21:26 UTC 
testcase ...

function export should only work if named BASH_FUNC_xx()

ff() {
   echo ffhello
}
export -f ff
export FOOff="() { echo FOOhello; }"
bash
env|grep ff
FOOff
ff
exit

Before: will print "FOOhello" and "ffhello"

After: will print "ffhello" and an error for FOOff
Comment 10 Marcus Meissner 2014-09-28 08:26:35 UTC 
even simpler:

foo='() { echo not patched; }' bash -c foo
Comment 11 Swamp Workflow Management 2014-09-28 10:06:28 UTC 
openSUSE-SU-2014:1229-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 898346,898603,898604
CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
Sources used:
openSUSE 12.3 (src):    bash-4.2-61.15.1
Comment 12 Swamp Workflow Management 2014-09-28 10:10:37 UTC 
openSUSE-SU-2014:1242-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 898346,898603,898604
CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
Sources used:
openSUSE 13.1 (src):    bash-4.2-68.8.1
Comment 13 Swamp Workflow Management 2014-09-28 17:05:47 UTC 
SUSE-SU-2014:1247-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 898346,898603,898604
CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    bash-3.2-147.22.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    bash-3.2-147.22.1
SUSE Linux Enterprise Server 11 SP3 (src):    bash-3.2-147.22.1
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    bash-3.2-147.14.22.1
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    bash-3.2-147.14.22.1
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    bash-3.1-24.34.1
SUSE Linux Enterprise Server 10 SP3 LTSS (src):    bash-3.1-24.34.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    bash-3.2-147.22.1
Comment 14 Marcus Meissner 2014-09-29 06:05:51 UTC 
*** Bug 898888 has been marked as a duplicate of this bug. ***
Comment 15 Bernhard Wiedemann 2014-09-29 08:00:20 UTC 
This is an autogenerated message for OBS integration:
This bug (898604) was mentioned in
https://build.opensuse.org/request/show/252744 Factory / bash
Comment 16 Bernhard Wiedemann 2014-09-29 09:03:11 UTC 
This is an autogenerated message for OBS integration:
This bug (898604) was mentioned in
https://build.opensuse.org/request/show/252752 13.2 / bash
Comment 17 Petr Tesařík 2014-09-29 16:25:11 UTC 
Wouldn't this patch also make sense for SLES9 SP4 (bash 2.05b)?
Comment 18 Swamp Workflow Management 2014-09-29 19:04:42 UTC 
SUSE-SU-2014:1247-2: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 898346,898603,898604
CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
Sources used:
SUSE Manager 1.7 for SLE 11 SP2 (src):    bash-3.2-147.14.22.1
Comment 19 Swamp Workflow Management 2014-09-30 15:06:11 UTC 
SUSE-SU-2014:1259-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 898346,898603,898604
CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    bash-4.2-81.1
SUSE Linux Enterprise Server 12 (src):    bash-4.2-81.1
SUSE Linux Enterprise Desktop 12 (src):    bash-4.2-81.1
 12 (src):    bash-4.2-81.1
Comment 21 Swamp Workflow Management 2014-10-01 12:07:00 UTC 
bugbot adjusting priority
Comment 22 Swamp Workflow Management 2014-10-02 15:09:49 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-10-09.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59267
Comment 27 Olaf Kirch 2014-10-07 13:18:08 UTC 
Sebastian, I assume this also applies to CVE-2014-6278? IBM complained that
we do not have patches for this in SLE12 GA.
Comment 28 Sebastian Krahmer 2014-10-07 13:36:27 UTC 
I guess you speak of bsc#900057 
Thomas already made a comment on that and I agree that CVE-2014-6278
is a minor issue which is a fallout of the more severe bugs we
already fixed. So this qualifies for keeping it on the
planned update list.
Comment 29 Swamp Workflow Management 2014-10-13 23:05:09 UTC 
SUSE-SU-2014:1287-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 898604
CVE References: CVE-2014-6271,CVE-2014-6277,CVE-2014-6278,CVE-2014-7169
Sources used:
SUSE Studio Onsite 1.3 (src):    Containment-Studio-SLE11_SP3-5.04.108-20141006122525
Comment 31 Bernhard Wiedemann 2014-11-03 15:01:17 UTC 
This is an autogenerated message for OBS integration:
This bug (898604) was mentioned in
https://build.opensuse.org/request/show/259512 Factory / bash