Re: bash-2.05b-013 appears to not work

[Dave Kalaluhi]

I guess that would help. I meant to include that in the initial mail,
but alas, running in 50K directions.

Locally we are using:

(for x in {1..200} ; do echo for x$x in ; do :; done; for x in
{1..200} ; do echo done ; done) | bash ||
echo CVE-2014-7187 vulnerable, word_lineno

If we run the test via ssh, it is showing patched, however locally is
still showing vulnerable.

Thanks Eric,
Dave

On 10/16/14, Chet Ramey chet.ra...@case.edu wrote:
 On 10/16/14, 5:02 PM, Dave Kalaluhi wrote:
 We have been compiling some of the older versions of bash to fix
 vulnerabilities, and for the most, has been working.

 However, when we patch the 013 patch for CVE-2014-7187, and run the
 nested loop, it's still showing as vulnerable.

 Has anyone else had a similiar experience?

 Since the code that had the off-by-one error was not even in bash-2.05b,
 I'm skeptical that it's vulnerable.

 --
 ``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
 Chet Ramey, ITS, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/

Re: bash-2.05b-013 appears to not work

[Greg Wooledge]

On Fri, Oct 17, 2014 at 10:10:36AM -0400, Dave Kalaluhi wrote:
 Locally we are using:
 
 (for x in {1..200} ; do echo for x$x in ; do :; done; for x in
 {1..200} ; do echo done ; done) | bash ||
 echo CVE-2014-7187 vulnerable, word_lineno

As mentioned in previous emails on this topic, that test is NOT
correct for bash 2.05b because it uses the {1..200} syntax which
was not introduced until bash 3.  Replace it with a C-style for
loop.

Re: bash-2.05b-013 appears to not work

[Andreas Schwab]

Eric Blake ebl...@redhat.com writes:

 The following is a better test for whether CVE-2014-7187 can be
 exploited to remotely attack your system:

 f='() { echo vulnerable; } bash -c f

Missing quote character.

f='() { echo vulnerable; }' bash -c f

Andreas.

-- 
Andreas Schwab, sch...@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
And now for something completely different.

Re: Issue with Bash-4.3 Official Patch 27

[Lorenz . Bucher . ext]

No, I can't. 
$ foo%%=bar
foo%%=bar: command not found

Or better said not in the normal way
$ set foo%%=bar

--
Mit freundlichen Grüßen

Lorenz Bucher
TechConnect GmbH

Im Auftrag der/on behalf of
Rohde  Schwarz GmbH  Co. KG

Postfach 80 14 69   •   81614 München
Mühldorfstraße 15   •   81671 München
Telefon:(089) 4129-15684
Mail: lorenz.bucher@rohde-schwarz.com
Internet: www.rohde-schwarz.com



Von:Chet Ramey chet.ra...@case.edu
An: lorenz.bucher@rohde-schwarz.com, wool...@eeg.ccf.org, 
Kopie:  bug-bash@gnu.org, Eduardo A. Bustamante López 
dual...@gmail.com, chet.ra...@case.edu
Datum:  10/16/2014 03:09 PM
Betreff:Re: Issue with Bash-4.3 Official Patch 27
Gesendet von:   
bug-bash-bounces+lorenz.bucher.ext=rohde-schwarz@gnu.org



On 10/15/14, 1:49 PM, lorenz.bucher@rohde-schwarz.com wrote:

 But anyway.
 In my opinion I should trust a shell not violating their own rules and 
be 
 able to import their own variables.

That's not the issue.  The shell can import variables like that just fine,
as evidenced by exported functions actually working.  The question is
whether or not `export' lets you set and export non-identifiers.  It does
and should not.

 So the % character should be allowed to be used in variable names.

No, shell variable names should continue to be shell identifiers.  You
can already use `%' (any character, really) in environment variable
names.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
  ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRUc...@case.edu
http://cnswww.cns.cwru.edu/~chet/

Re: bash-2.05b-013 appears to not work

[Dave Kalaluhi]

Awesome - Thanks everyone for the help! I will forward these responses
on to the security group. But again, Thank you everyone!!!

-Dave

On 10/17/14, Andreas Schwab sch...@linux-m68k.org wrote:
 Eric Blake ebl...@redhat.com writes:

 The following is a better test for whether CVE-2014-7187 can be
 exploited to remotely attack your system:

 f='() { echo vulnerable; } bash -c f

 Missing quote character.

 f='() { echo vulnerable; }' bash -c f

 Andreas.

 --
 Andreas Schwab, sch...@linux-m68k.org
 GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
 And now for something completely different.

Re: commands do not ignore TSTP if TSTP ignored already

[Chet Ramey]

On 10/16/14, 12:38 AM, idal...@idallen.ca wrote:

 Bash Version: 4.2
 Patch Level: 25
 Release Status: release
 
 Description:
 
 If a bash shell script starts up with TSTP ignored, commands run by that
 script will not ignore TSTP, even if you set a trap in the script to
 ignore TSTP.  If the script starts up with TSTP not ignored, then the
 trap to ignore TSTP works fine.

Thanks for the report.  This will be fixed in the next release of bash.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/

Re: Issue with Bash-4.3 Official Patch 27

[Chet Ramey]

On 10/16/14, 4:37 PM, Geir Hauge wrote:

 Regardless though, shouldn't source (declare -xp) work whether or not
 the environment contains invalid identifiers? It doesn't at present:
 
 $ env %=% bash -c 'echo $BASH_VERSION; source (declare -xp)'
 4.3.30(1)-release
 /dev/fd/63: line 1: declare: `%': not a valid identifier
 
 Isn't declare -p output meant to be reusable as shell input?

Yeah.  Names that get imported from the environment, but which are not
valid shell identifiers, should not leak into declare -p output.

I made that change about ten days ago, and it will be in the next release
of bash.  The current warning is an annoyance but otherwise doesn't
impact anything.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/

Re: Issue with Bash-4.3 Official Patch 27

[Chet Ramey]

On 10/17/14, 11:22 AM, lorenz.bucher@rohde-schwarz.com wrote:
 No, I can't. 
 $ foo%%=bar
 foo%%=bar: command not found

You just demonstrated what I wrote:

 No, shell variable names should continue to be shell identifiers.  You
 can already use `%' (any character, really) in environment variable
 names.

You attempted to create a shell variable with a name that isn't a valid
shell identifier, and it didn't work.  You can use `env' or equivalent to
place arbitrary strings into the environment, but you can't use the shell
to do it.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/

Re: Issue with Bash-4.3 Official Patch 27

[Chet Ramey]

On 10/17/14, 11:34 AM, Greg Wooledge wrote:

 3) Everything else.  These are ignored.
 

Not quite.  Bash saves them and adds them to the environment it passes to
the external commands it invokes.  Bash is transparent with respect to
environment variables it doesn't handle.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/