Date: Fri, 26 Sep 2014 12:41:28 -0500 From: Bryan Drewery <bdrewery@FreeBSD.org> Cc: freebsd-security <freebsd-security@freebsd.org>, freebsd-ports <freebsd-ports@freebsd.org> Subject: Re: bash velnerability Message-ID: <5425A548.9090306@FreeBSD.org> In-Reply-To: <5425999A.3070405@FreeBSD.org> References: <CAHFU5H5WOnAXuFmfQEGkTvwoECATTCC3eKYE3yts%2BBqh1M_8ww@mail.gmail.com> <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <CAHcXP%2Bdx2etYgQPNiAxk2P68Z-4j%2BbTvdMoHfz%2BxKsBDKh9Z9g@mail.gmail.com> <5425999A.3070405@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --CDJL3S89Ak83sR08nPO1nPlqNfk9dmHSv Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 9/26/2014 11:51 AM, Bryan Drewery wrote: > On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >> On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery <bdrewery@freebsd.org> = wrote: >>> On 9/26/2014 2:36 AM, Steve Clement wrote: >>>> Dear all, >>>> >>>> In case you urgently need to go the manual route, here is one way to= really patch your systems: >>>> >>>> https://www.circl.lu/pub/tr-27/ >>>> >>>> Until the patch is in the bash upstream=E2=80=A6 (which it might be = by now) >>>> >>>> Take care, >>>> >>> >>> The port has had the fixes since yesterday. The packages are building= =2E >>> >>> -- >>> Regards, >>> Bryan Drewery >>> >> >> Apparently, the full fix is still not delivered, accordingly to this: >> http://seclists.org/oss-sec/2014/q3/741 >> >> Kind regards, >> Bartek Rutkowski >> >=20 > I'm pretty sure they call that a "feature". This is a bit different. > This is modifying the command used to call a function as the feature > intends. The vulnerability was that just parsing the environment would > execute the code. >=20 > TL;DR; You should cleanse your environment and only accept valid input > to work around this feature. The bash developer (Chet) said he would no= t > remove it by default, at least a few days ago. >=20 There is more discussion here http://seclists.org/oss-sec/2014/q3/746 Anyway I still think this is not anything to panic about. However I am making the decision to disable this feature entirely in our bash port by default. I will use christos@NetBSD's patch to add a --import-functions flag to bash. The port will allow selecting the default at build time. Ours will have it disabled. I have no idea what the impact is on this but it is the safest route for now; scripts passing functions in environment is crazy. --=20 Regards, Bryan Drewery --CDJL3S89Ak83sR08nPO1nPlqNfk9dmHSv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQEcBAEBAgAGBQJUJaVJAAoJEDXXcbtuRpfPlYMIAMaWhTvu6haxeP5FKQu4CR4U lWlUw4qzJQpS+/y9YM9FHymSmo0FxhoiHSzJlxOXSnjasAn3G+lhet35fBtykh2r YfL0ivFepjxpYyMiK0SD5RN+Nbf39SKaHTatO9oXZNuJjBTvUYR6Kgt/ztO3c1YJ pWwx5UNUGykjD5nFQomeONRDFtRf/NHY0xss1g66XFVyx3feI9c5oHSM0Z1Z+uti 0dr2I8e0ghVqEcIr7SfnhqyIGUEAFuavzIUk0G2TvxIlJiKZqsS2BkjcCKcNhuBf fu5mrrlFMupsK7ag50W2xIprlDWZ+B0hGDMfnUPdduHlTTtw1RI09gzisqkQxiY= =AjWi -----END PGP SIGNATURE----- --CDJL3S89Ak83sR08nPO1nPlqNfk9dmHSv--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5425A548.9090306>