Bug 898603 - VUL-0: CVE-2014-7186 CVE-2014-7187: bash: bad handling of HERE documents and for loop issue
VUL-0: CVE-2014-7186 CVE-2014-7187: bash: bad handling of HERE documents and ...
Status: RESOLVED FIXED
: 996289 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P1 - Urgent : Major
: ---
Assigned To: Dr. Werner Fink
Security Team bot
maint:released:sle11-sp1:59120 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-09-26 09:00 UTC by Marcus Meissner
Modified: 2016-10-26 17:31 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
parser-oob-3.2.patch (1.93 KB, patch)
2014-09-26 09:02 UTC, Marcus Meissner
Details | Diff
parser-oob-4.2.patch (2.51 KB, patch)
2014-09-26 09:02 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-26 09:00:45 UTC
via oss-sec

Note that if you ship 4.3, you might want to reevaluate a decision to
enable array variable import from the environment.

Internal analysis revealed two out-of-bounds array accesses in the bash
parser.  This was also independently and privately reported by Todd
Sabin <tsabin@optonline.net>.

The redir_stack issue is this:

$ bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF
<<EOF <<EOF <<EOF <<EOF <<EOF'
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: make_here_document: bad instruction type 33
Segmentation fault (core dumped)

The word_lineno issue is this (only visible with address sanitizer, but
it's probably to come up with something better):

$ (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in
{1..200} ; do echo done ; done) > test-script.sh $ bash test-script.sh

Both issues are fixed by the parser-oob patches.

I'm also including the function definition affix patch which has already
been posted to oss-security.  (variables-affix-3.0.patch has only seen
very light review and testing yet, but it's a fairly straightforward
backport.)
Comment 1 Marcus Meissner 2014-09-26 09:01:21 UTC
From Mitre:


> From: Florian Weimer

> The redir_stack issue is this:

> -static REDIRECT *redir_stack[10];

This is apparently an error in handling here documents that can be
fixed by not using the above array size.

Use CVE-2014-7186.


> The word_lineno issue is this

>      case FOR:
> -      if (word_top < MAX_CASE_NEST)
> +      if (word_top + 1 < MAX_CASE_NEST)

This is apparently an off-by-one error in the processing of deeply
nested for loops.

Use CVE-2014-7187.
Comment 2 Marcus Meissner 2014-09-26 09:02:12 UTC
Created attachment 608080 [details]
parser-oob-3.2.patch

parser-oob-3.2.patch
Comment 3 Marcus Meissner 2014-09-26 09:02:26 UTC
Created attachment 608081 [details]
parser-oob-4.2.patch

parser-oob-4.2.patch
Comment 6 Bernhard Wiedemann 2014-09-26 13:00:17 UTC
This is an autogenerated message for OBS integration:
This bug (898603) was mentioned in
https://build.opensuse.org/request/show/252461 13.1 / bash
https://build.opensuse.org/request/show/252465 12.3 / bash
Comment 7 Marcus Meissner 2014-09-27 11:25:04 UTC
testcase for HERE

bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF'

(all in 1 line!)

before: segmentation fault
after: no output



testcase for FOR:
(for x in `seq 1 200` ; do echo "for x$x in ; do :"; done; for x in
{1..200} ; do echo done ; done) > test-script.sh

... will generate a test-script.sh file with 200 nested loops ... 

bash test-script.sh

before:
./test-script.sh: line 129: syntax error near `x129'
./test-script.sh: line 129: `for x129 in ; do :'

(might cause another senseless parsing error)

after:
no output
Comment 8 Swamp Workflow Management 2014-09-28 10:10:27 UTC
openSUSE-SU-2014:1242-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 898346,898603,898604
CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
Sources used:
openSUSE 13.1 (src):    bash-4.2-68.8.1
Comment 9 Marcus Meissner 2014-09-28 16:06:45 UTC
updates were released.

must not forget factory, not sure if you submitted there Werner.
Comment 10 Swamp Workflow Management 2014-09-28 17:05:37 UTC
SUSE-SU-2014:1247-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 898346,898603,898604
CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    bash-3.2-147.22.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    bash-3.2-147.22.1
SUSE Linux Enterprise Server 11 SP3 (src):    bash-3.2-147.22.1
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    bash-3.2-147.14.22.1
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    bash-3.2-147.14.22.1
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    bash-3.1-24.34.1
SUSE Linux Enterprise Server 10 SP3 LTSS (src):    bash-3.1-24.34.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    bash-3.2-147.22.1
Comment 11 Bernhard Wiedemann 2014-09-29 08:00:16 UTC
This is an autogenerated message for OBS integration:
This bug (898603) was mentioned in
https://build.opensuse.org/request/show/252744 Factory / bash
Comment 12 Bernhard Wiedemann 2014-09-29 09:03:04 UTC
This is an autogenerated message for OBS integration:
This bug (898603) was mentioned in
https://build.opensuse.org/request/show/252752 13.2 / bash
Comment 14 Swamp Workflow Management 2014-09-29 19:04:31 UTC
SUSE-SU-2014:1247-2: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 898346,898603,898604
CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
Sources used:
SUSE Manager 1.7 for SLE 11 SP2 (src):    bash-3.2-147.14.22.1
Comment 15 Swamp Workflow Management 2014-09-30 15:05:54 UTC
SUSE-SU-2014:1259-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 898346,898603,898604
CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    bash-4.2-81.1
SUSE Linux Enterprise Server 12 (src):    bash-4.2-81.1
SUSE Linux Enterprise Desktop 12 (src):    bash-4.2-81.1
 12 (src):    bash-4.2-81.1
Comment 16 Marcus Meissner 2014-10-01 06:57:27 UTC
I am able to reproduce SLES 9 for nesting issue by using the reproducer and going to 1500 nesting level.

As it is a moderate severity issue only I think, so a fix for out of support products is not required in my eyes.
Comment 17 Marcus Meissner 2014-10-01 07:02:39 UTC
This is also be covered by the bash prefix hardening enhancements we have done, attackers can no longer inject these kind of constructs.
Comment 18 Dr. Werner Fink 2014-10-01 08:47:46 UTC
Build for SLES-9-SP4:GA for bash-2.05b is running on internal build sever, see

     home:WernerFink:branches:SUSE:SLE-9-SP4:Update:Test/bash
Comment 19 Dr. Werner Fink 2014-10-01 09:27:24 UTC
created request id 44908 for SLES-9 SP4
Comment 21 Marcus Meissner 2014-10-02 08:56:06 UTC
updates were released on Sunday.

sles9 will likely only receive fixes via PTF.
Comment 25 Bernhard Wiedemann 2014-11-03 15:01:12 UTC
This is an autogenerated message for OBS integration:
This bug (898603) was mentioned in
https://build.opensuse.org/request/show/259512 Factory / bash
Comment 26 Leonardo Chiquitto 2016-10-26 17:31:02 UTC
*** Bug 996289 has been marked as a duplicate of this bug. ***