On 09/30/2014 07:42 PM, Andy wrote:
> Eric Blake (cygwin <ebb9 <at> byu.net> writes:
>> This is a minor rebuild which picks up an upstream patch to fix
>> CVE-2014-7169 and all other ShellShock attacks (4.1.13-6 was also safe,
>> but used a slightly different downstream patch that used '()' instead of
>> '%%' in environment variables, and which was overly restrictive on
>> importing functions whose name was not an identifier).  There are still
>> known parser crashers (such as CVE-2014-7186, CVE-2014-7187, and
>> CVE-2014-6277) where upstream will probably issue patches soon; but
>> while those issues can trigger a local crash, they cannot be exploited
>> for escalation of privilege via arbitrary variable contents by this
>> build.  Left unpatched, a vulnerable version of bash could allow
>> arbitrary code execution via specially crafted environment variables,
>> and was exploitable through a number of remote services, so it is highly
>> recommended that you upgrade
> 
> I found this to be a good test site, with a comprehensive list of
> exploits and explicit description of what to expect in order to decide
> whether an exploit is still active: http://shellshocker.net

That site is not 100% accurate.

Among others, it claims that:

env X=' () { }; echo hello' bash -c 'date'

can output hello on vulnerable bash.  That is untrue; no version of bash
exists with that behavior (the shellshock behavior REQUIRES the first
four bytes of a vulnerable variable to be "() {", but that example
started with space).

Furthermore, it claims that:

bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF
<<EOF <<EOF <<EOF <<EOF <<EOF' ||
echo "CVE-2014-7186 vulnerable, redir_stack"

proves that bash is vulnerable to shellshock.  This is a half-truth.  It
proves that bash's parser is buggy (and cygwin's bash-4.1.14-7 STILL has
that bug, because the bug is still present upstream), but you are ONLY
vulnerable to ShellShock if the parser can be called by arbitrary
variable contents.  That is, to prove you are vulnerable, you have to
test something like:

env x='() { true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF
<<EOF <<EOF <<EOF <<EOF <<EOF' bash -c :

and if THAT dumps core, then you are vulnerable to shellshock. If you
apply all the latest upstream bash patches, it is impossible for that
sequence to dump core, because arbitrary variable assignments no longer
trigger calls into the (still-buggy) parser.

So please don't spread FUD.  Cygwin bash is no longer vulnerable to
shellshock, even if it still has parser bugs.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org