From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 8838 invoked by alias); 1 Oct 2014 02:47:03 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 8811 invoked by uid 89); 1 Oct 2014 02:46:58 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.4 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD,SEM_FRESH,SPF_HELO_PASS,SPF_PASS,URIBL_RED,URIBL_RHS_DOB autolearn=ham version=3.3.2 X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Wed, 01 Oct 2014 02:46:57 +0000 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s912ktIw004665 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Tue, 30 Sep 2014 22:46:55 -0400 Received: from [10.3.113.28] (ovpn-113-28.phx2.redhat.com [10.3.113.28]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s912ktpw008827 for ; Tue, 30 Sep 2014 22:46:55 -0400 Message-ID: <542B6B1F.9050801@redhat.com> Date: Wed, 01 Oct 2014 02:47:00 -0000 From: Eric Blake User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: cygwin@cygwin.com Subject: Re: [ANNOUNCEMENT] Updated: bash-4.1.14-7 References: In-Reply-To: OpenPGP: url=http://people.redhat.com/eblake/eblake.gpg Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="tOeX8qXfX1DTlDMpsIPXIXPFBRuBFdKcd" X-IsSubscribed: yes X-SW-Source: 2014-10/txt/msg00005.txt.bz2 --tOeX8qXfX1DTlDMpsIPXIXPFBRuBFdKcd Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-length: 2680 On 09/30/2014 07:42 PM, Andy wrote: > Eric Blake (cygwin byu.net> writes: >> This is a minor rebuild which picks up an upstream patch to fix >> CVE-2014-7169 and all other ShellShock attacks (4.1.13-6 was also safe, >> but used a slightly different downstream patch that used '()' instead of >> '%%' in environment variables, and which was overly restrictive on >> importing functions whose name was not an identifier). There are still >> known parser crashers (such as CVE-2014-7186, CVE-2014-7187, and >> CVE-2014-6277) where upstream will probably issue patches soon; but >> while those issues can trigger a local crash, they cannot be exploited >> for escalation of privilege via arbitrary variable contents by this >> build. Left unpatched, a vulnerable version of bash could allow >> arbitrary code execution via specially crafted environment variables, >> and was exploitable through a number of remote services, so it is highly >> recommended that you upgrade >=20 > I found this to be a good test site, with a comprehensive list of > exploits and explicit description of what to expect in order to decide > whether an exploit is still active: http://shellshocker.net That site is not 100% accurate. Among others, it claims that: env X=3D' () { }; echo hello' bash -c 'date' can output hello on vulnerable bash. That is untrue; no version of bash exists with that behavior (the shellshock behavior REQUIRES the first four bytes of a vulnerable variable to be "() {", but that example started with space). Furthermore, it claims that: bash -c 'true <