Bug 898604 - VUL-0: bash: functions via environment hardening
VUL-0: bash: functions via environment hardening
Status: RESOLVED WONTFIX
: 898888 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp1:59120 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-09-26 09:06 UTC by Marcus Meissner
Modified: 2015-03-25 13:04 UTC (History)
9 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
variables-affix-3.0.patch (5.29 KB, patch)
2014-09-26 09:06 UTC, Marcus Meissner
Details | Diff
variables-affix-4.2.patch (4.99 KB, patch)
2014-09-26 09:07 UTC, Marcus Meissner
Details | Diff
variables-affix-3.2.patch (4.95 KB, patch)
2014-09-26 11:43 UTC, Marcus Meissner
Details | Diff
variables-affix-3.1.patch (5.11 KB, patch)
2014-09-26 11:47 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-26 09:06:48 UTC
Created attachment 608084 [details]
variables-affix-3.0.patch

via oss-sec and debian

This patch disallows passing of function macros in variables except when named
BASH_FUNC_* 

Due to the unexpected nature we shoudl include this hardening method.
Comment 1 Marcus Meissner 2014-09-26 09:07:05 UTC
Created attachment 608085 [details]
variables-affix-4.2.patch

variables-affix-4.2.patch
Comment 2 Dr. Werner Fink 2014-09-26 10:08:32 UTC
This patch does conflict with the patch of CVE-2014-6271!
Comment 3 Marcus Meissner 2014-09-26 11:43:54 UTC
Created attachment 608128 [details]
variables-affix-3.2.patch

ported patch for bash 3.2 (SLE11 SP3) on top of the CVE-2014-6271 patch
Comment 4 Marcus Meissner 2014-09-26 11:47:28 UTC
Created attachment 608129 [details]
variables-affix-3.1.patch

variables-affix-3.1.patch  based on top of CVE-2014-6721
Comment 7 Bernhard Wiedemann 2014-09-26 13:00:21 UTC
This is an autogenerated message for OBS integration:
This bug (898604) was mentioned in
https://build.opensuse.org/request/show/252461 13.1 / bash
https://build.opensuse.org/request/show/252465 12.3 / bash
Comment 8 Marcus Meissner 2014-09-27 11:21:26 UTC
testcase ...

function export should only work if named BASH_FUNC_xx()

ff() {
   echo ffhello
}
export -f ff
export FOOff="() { echo FOOhello; }"
bash
env|grep ff
FOOff
ff
exit

Before: will print "FOOhello" and "ffhello"

After: will print "ffhello" and an error for FOOff
Comment 10 Marcus Meissner 2014-09-28 08:26:35 UTC
even simpler:

foo='() { echo not patched; }' bash -c foo
Comment 11 Swamp Workflow Management 2014-09-28 10:06:28 UTC
openSUSE-SU-2014:1229-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 898346,898603,898604
CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
Sources used:
openSUSE 12.3 (src):    bash-4.2-61.15.1
Comment 12 Swamp Workflow Management 2014-09-28 10:10:37 UTC
openSUSE-SU-2014:1242-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 898346,898603,898604
CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
Sources used:
openSUSE 13.1 (src):    bash-4.2-68.8.1
Comment 13 Swamp Workflow Management 2014-09-28 17:05:47 UTC
SUSE-SU-2014:1247-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 898346,898603,898604
CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    bash-3.2-147.22.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    bash-3.2-147.22.1
SUSE Linux Enterprise Server 11 SP3 (src):    bash-3.2-147.22.1
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    bash-3.2-147.14.22.1
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    bash-3.2-147.14.22.1
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    bash-3.1-24.34.1
SUSE Linux Enterprise Server 10 SP3 LTSS (src):    bash-3.1-24.34.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    bash-3.2-147.22.1
Comment 14 Marcus Meissner 2014-09-29 06:05:51 UTC
*** Bug 898888 has been marked as a duplicate of this bug. ***
Comment 15 Bernhard Wiedemann 2014-09-29 08:00:20 UTC
This is an autogenerated message for OBS integration:
This bug (898604) was mentioned in
https://build.opensuse.org/request/show/252744 Factory / bash
Comment 16 Bernhard Wiedemann 2014-09-29 09:03:11 UTC
This is an autogenerated message for OBS integration:
This bug (898604) was mentioned in
https://build.opensuse.org/request/show/252752 13.2 / bash
Comment 17 Petr Tesařík 2014-09-29 16:25:11 UTC
Wouldn't this patch also make sense for SLES9 SP4 (bash 2.05b)?
Comment 18 Swamp Workflow Management 2014-09-29 19:04:42 UTC
SUSE-SU-2014:1247-2: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 898346,898603,898604
CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
Sources used:
SUSE Manager 1.7 for SLE 11 SP2 (src):    bash-3.2-147.14.22.1
Comment 19 Swamp Workflow Management 2014-09-30 15:06:11 UTC
SUSE-SU-2014:1259-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 898346,898603,898604
CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    bash-4.2-81.1
SUSE Linux Enterprise Server 12 (src):    bash-4.2-81.1
SUSE Linux Enterprise Desktop 12 (src):    bash-4.2-81.1
 12 (src):    bash-4.2-81.1
Comment 21 Swamp Workflow Management 2014-10-01 12:07:00 UTC
bugbot adjusting priority
Comment 22 Swamp Workflow Management 2014-10-02 15:09:49 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-10-09.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59267
Comment 27 Olaf Kirch 2014-10-07 13:18:08 UTC
Sebastian, I assume this also applies to CVE-2014-6278? IBM complained that
we do not have patches for this in SLE12 GA.
Comment 28 Sebastian Krahmer 2014-10-07 13:36:27 UTC
I guess you speak of bsc#900057 
Thomas already made a comment on that and I agree that CVE-2014-6278
is a minor issue which is a fallout of the more severe bugs we
already fixed. So this qualifies for keeping it on the
planned update list.
Comment 29 Swamp Workflow Management 2014-10-13 23:05:09 UTC
SUSE-SU-2014:1287-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 898604
CVE References: CVE-2014-6271,CVE-2014-6277,CVE-2014-6278,CVE-2014-7169
Sources used:
SUSE Studio Onsite 1.3 (src):    Containment-Studio-SLE11_SP3-5.04.108-20141006122525
Comment 31 Bernhard Wiedemann 2014-11-03 15:01:17 UTC
This is an autogenerated message for OBS integration:
This bug (898604) was mentioned in
https://build.opensuse.org/request/show/259512 Factory / bash