[Bug 1378114] [NEW] Ubuntu 14.10 bash is still vulnerable to CVE-2014-6277 and CVE-2014-7186.

Launchpad Bug Tracker 1378114 at bugs.launchpad.net
Mon Oct 6 22:11:05 UTC 2014 

You have been subscribed to a public bug:

---Problem Description---
Ubuntu 14.10 bash still vulnerable to CVE-2014-6277 and CVE-2014-7186.
  
---uname output---
manu at ubuntu:~$ uname -a Linux ubuntu 3.16.0-20-generic #27-Ubuntu SMP Wed Oct 1 17:24:38 UTC 2014 ppc64le ppc64le ppc64le GNU/Linux
 
Machine Type = 8284-22A 
  
---Steps to Reproduce---
Ubuntu 14.10 bash still vulnerable to CVE-2014-6277 and CVE-2014-7186.

1. install Oct 5 ppc64le ubuntu 14.10 ISO image.

2. upgrade to latest bash.
manu at ubuntu:~$  sudo apt-get update; apt-get install --only-upgrade bash

manu at ubuntu:~$ bash --version
GNU bash, version 4.3.27(1)-release (powerpc64le-unknown-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.



3. run the shellshocker.net tests to see if the bash is still vulnerable.

manu at ubuntu:~$ curl https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2533  100  2533    0     0   3675      0 --:--:-- --:--:-- --:--:--  3671
CVE-2014-6271 (original shellshock): not vulnerable
bash: line 16: 14233 Segmentation fault      bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
bash: line 49: 14250 Segmentation fault      bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2> /dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

based on the test suite results, CVE-2014-6277 and CVE-2014-7186 are
still vulnerable on Ubuntu 14.10.

Other similar tests in these areas which still fails:

1. manu at ubuntu:~$ bash -c "f(){ x(){ _;};x(){ _;}<<a;}"
Segmentation fault

2. manu at ubuntu:/tmp$ bash -c ':<<a<<b<<c<<d<<e<<f<<g<<h<<i<<j<<k<<l<<m<<n'
Segmentation fault


3. manu at ubuntu:/tmp$ bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"
Segmentation fault
CVE-2014-7186 vulnerable, redir_stack

4. manu at ubuntu:~$ bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable
Segmentation fault
vulnerable

** Affects: bash (Ubuntu)
     Importance: Undecided
         Status: Confirmed


** Tags: architecture-ppc64le bugnameltc-117187 severity-high targetmilestone-inin---
-- 
Ubuntu 14.10 bash is still vulnerable to CVE-2014-6277 and CVE-2014-7186.
https://bugs.launchpad.net/bugs/1378114
You received this bug notification because you are a member of Ubuntu Foundations Bugs, which is subscribed to bash in Ubuntu.

More information about the foundations-bugs mailing list