1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
PublicDateAtUSN: 2014-09-30
Candidate: CVE-2014-6278
PublicDate: 2014-09-30
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
http://lcamtuf.blogspot.ca/2014/09/bash-bug-apply-unofficial-patch-now.html
http://seclists.org/fulldisclosure/2014/Oct/9
http://lcamtuf.blogspot.ca/2014/10/bash-bug-how-we-finally-cracked.html
http://www.ubuntu.com/usn/usn-2380-1
Description:
GNU Bash through 4.3 bash43-026 does not properly parse function
definitions in the values of environment variables, which allows remote
attackers to execute arbitrary commands via a crafted environment, as
demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd,
the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts
executed by unspecified DHCP clients, and other situations in which setting
the environment occurs across a privilege boundary from Bash execution.
NOTE: this vulnerability exists because of an incomplete fix for
CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
Ubuntu-Description:
Notes:
mdeslaur> this issue is mitigated by Florian Weimer's prefix-suffix patch
mdeslaur> that is included in http://www.ubuntu.com/usn/usn-2364-1/
mdeslaur> since bash parser vulnerabilities are now limited to specially
mdeslaur> named environment variables, and as such are no longer directly
mdeslaur> exposed to CGI scripts, SSH, etc.
mdeslaur>
mdeslaur> Once an upstream patch is made available, we will release bash
mdeslaur> updates, but we don't consider this to be a critical issue
mdeslaur> requiring immediate attention.
Bugs:
Priority: medium
Discovered-by: Michal Zalewski
Assigned-to: mdeslaur
Patches_bash:
upstream_bash: needs-triage
lucid_bash: released (4.1-2ubuntu3.5)
precise_bash: released (4.2-2ubuntu2.6)
trusty_bash: released (4.3-7ubuntu1.5)
devel_bash: released (4.3-11ubuntu1)
|