Date: Tue, 30 Sep 2014 15:58:58 -0400 From: Jung-uk Kim <jkim@FreeBSD.org> To: Jason Hellenthal <jhellenthal@dataix.net> Cc: freebsd-security <freebsd-security@freebsd.org>, Bryan Drewery <bdrewery@FreeBSD.org>, freebsd-ports <freebsd-ports@freebsd.org> Subject: Re: bash velnerability Message-ID: <542B0B82.3020201@FreeBSD.org> In-Reply-To: <2366B611-36BB-4543-9EEA-4777CCC9D127@dataix.net> References: <CAHFU5H5WOnAXuFmfQEGkTvwoECATTCC3eKYE3yts%2BBqh1M_8ww@mail.gmail.com> <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <CAHcXP%2Bdx2etYgQPNiAxk2P68Z-4j%2BbTvdMoHfz%2BxKsBDKh9Z9g@mail.gmail.com> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> <2366B611-36BB-4543-9EEA-4777CCC9D127@dataix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------040100080403030600080603
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
On 2014-09-30 14:58:07 -0400, Jason Hellenthal wrote:
> echo "Testing Exploit 1 (CVE-2014-6271)"
> CVE6271="$(env x='() { :;}; echo -n V' bash -c : 2>/dev/null)"
> [ "${CVE7187}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE"
>
> echo "Testing Exploit 2 (CVE-2014-7169)"
> CVE7169="$(env X='() { (4lpi.com)=>\' bash -c "echo date" 2>/dev/null; cat echo 2>/dev/null; rm -f echo)"
> [ ! "${CVE7169}" == "date" ] && echo "VULNERABLE" || echo "NOT VULNERABLE"
>
> echo "Testing Exploit 3 (CVE-2014-6277)"
> CVE6277="$(env -i X=' () { }; echo -n V' bash -c :)"
> [ "${CVE6277}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE"
>
> echo "Testing Exploit 4 (CVE-2014-7186)"
> CVE7186="$(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null ||echo -n V)"
> [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE"
>
> echo "Testing Exploit 5 (CVE-2014-7187)"
> CVE7187="$((for x in {1..200}; do echo "for x$x in ; do :"; done; for x in {1..200}; do echo done; done) |bash 2>/dev/null ||echo -n V)"
> [ "${CVE7187}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE”
>
> Good luck ;-)
Yes, it passes all tests (the patch attached).
Jung-uk Kim
--------------040100080403030600080603
Content-Type: text/plain; charset=UTF-8;
name="patch-parse.y"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="patch-parse.y"
--- parse.y.orig 2014-09-30 12:58:08.462512373 -0400
+++ parse.y 2014-09-30 12:58:08.629018000 -0400
@@ -265,9 +265,21 @@
/* Variables to manage the task of reading here documents, because we need to
defer the reading until after a complete command has been collected. */
-static REDIRECT *redir_stack[10];
+static REDIRECT **redir_stack;
int need_here_doc;
+/* Pushes REDIR onto redir_stack, resizing it as needed. */
+static void
+push_redir_stack (REDIRECT *redir)
+{
+ /* Guard against oveflow. */
+ if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack))
+ abort ();
+ redir_stack = xrealloc (redir_stack,
+ (need_here_doc + 1) * sizeof (*redir_stack));
+ redir_stack[need_here_doc++] = redir;
+}
+
/* Where shell input comes from. History expansion is performed on each
line when the shell is interactive. */
static char *shell_input_line = (char *)NULL;
@@ -520,42 +532,42 @@
source.dest = 0;
redir.filename = $2;
$$ = make_redirection (source, r_reading_until, redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| NUMBER LESS_LESS WORD
{
source.dest = $1;
redir.filename = $3;
$$ = make_redirection (source, r_reading_until, redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| REDIR_WORD LESS_LESS WORD
{
source.filename = $1;
redir.filename = $3;
$$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| LESS_LESS_MINUS WORD
{
source.dest = 0;
redir.filename = $2;
$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| NUMBER LESS_LESS_MINUS WORD
{
source.dest = $1;
redir.filename = $3;
$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| REDIR_WORD LESS_LESS_MINUS WORD
{
source.filename = $1;
redir.filename = $3;
$$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| LESS_LESS_LESS WORD
{
@@ -4905,7 +4917,7 @@
case CASE:
case SELECT:
case FOR:
- if (word_top < MAX_CASE_NEST)
+ if (word_top + 1 < MAX_CASE_NEST)
word_top++;
word_lineno[word_top] = line_number;
break;
--------------040100080403030600080603--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?542B0B82.3020201>