SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   GNU bash Vendors:   GNU [multiple authors]
(Debian Issues Fix) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
SecurityTracker Alert ID:  1030927
SecurityTracker URL:  http://securitytracker.com/id/1030927
CVE Reference:   CVE-2014-7169, CVE-2014-7186, CVE-2014-7187   (Links to External Site)
Date:  Sep 26 2014
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.3
Description:   Several vulnerabilities were reported in GNU bash. A user can execute arbitrary code on the target system.

The software does not properly process environment variables.

A user can supply a specially crafted value that includes a bash function followed by additional code that, when processed by bash, will execute the additional code [CVE-2014-6271]. This vulnerability is known as "Shellshock".

Stephane Chazelas reported this vulnerability.

An initial fix for CVE-2014-6271 did not properly fix this flaw [CVE-2014-7169].

A user can supply a specially crafted value to trigger an out-of-bounds memory access in redir_stack() and potentially execute arbitrary code [CVE-2014-7186].

Florian Weimer of Red Hat Product Security reported this vulnerability.

A user can supply specially crafted, deeply nested flow control constructs to trigger an off-by-one error and potentially execute arbitrary code [CVE-2014-7187].

Florian Weimer of Red Hat Product Security reported this vulnerability.

A user can supply specially crafted data to access uninitialized memory and overwrite a pointer to potentially execute arbitrary code [CVE-2014-6277].

A user can supply specially crafted data to execute arbitrary code [CVE-2014-6278].

Michal Zalewski reported these vulnerabilities.

On a system with an application that passes data from a remote or remote authenticated user to bash, a remote or remote authenticated user may be able to exploit these vulnerabilities to execute arbitrary code.

Some common system application configurations are affected.

Demonstration exploit code is available.

This vulnerability is being actively exploited.

Impact:   A user can execute arbitrary code on the target system. In some application configurations, a remote user may be able to exploit this.
Solution:   Debian has issued a fix for CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187 (4.2+dfsg-0.1+deb7u3).

The Debian advisory is available at:

https://www.debian.org/security/2014/dsa-3035

Vendor URL:  www.gnu.org/software/bash/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Debian)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Sep 24 2014 GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code



 Source Message Contents

Subject:  [SECURITY] [DSA 3035-1] bash security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3035-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
September 25, 2014                     http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bash
CVE ID         : CVE-2014-7169
Debian Bug     : 762760 762761

Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271
released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was
incomplete and could still allow some characters to be injected into
another environment (CVE-2014-7169). With this update prefix and suffix
for environment variable names which contain shell functions are added
as hardening measure.

Additionally two out-of-bounds array accesses in the bash parser are
fixed which were revealed in Red Hat's internal analysis for these
issues and also independently reported by Todd Sabin.

For the stable distribution (wheezy), these problems have been fixed in
version 4.2+dfsg-0.1+deb7u3.

We recommend that you upgrade your bash packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUJIZRAAoJEAVMuPMTQ89EBjMP/3QWVLlaIlKEiZ84LAwsyf5h
DZXP9mTEnXOyPlwbsydG4qJNuv0QQvkDmy0nQm8J8U9tWtRuAPqfdE1O6qHnNQHY
9xFAMk+sro+F4gVuesiRshACy6qII2Ie20ypUT0uyj53Yd0FQwecKtHIMbbOW7AM
xDNiMGlv4hzaVOTV3i9z+USsbbaqpTR1QSQMSzP0MPBnc+9idCIyg/LPU0ZJTirL
Hdx9AMGk9tlD5BzU9CCA83xigOQ2c3DrAqxT2zidhGsHUVIE4+L2Q0jXwfIXi9B5
wp5DEbGdmfPO0ZuGP40m9T5todlCCPX2/sANePROLkYZjaBKFkptK1l2Kutk7pbE
rPevXBUpLzwCN+nS0RRTDaqPyeAA9SIgaKHKeJ03cqs15LXJLbChJLVIwtw1TY35
/ZJaTthGxMwEfLzCvM/O/mwooFl5C7rhEMiDsE3dqVJer5UmbS2uUa0O6s5jFlbS
azeEaat25RLQB96Q44gGM0BUvOWtyImApACEa4AW7EA4ElcjlqOlFszVqWL+8mXe
uucRq2v14CUgSdo2WRC5WWIaYTtdgDcPqfzrL1ZwzO1QBggCOOgfTscUzvXQzcR3
oB30GhH3Wt8WcyjpMRsJsoU2gtA2QKMHKF252hNmuUsdYlYDxOQBr4Qdf0/t+dOg
2HiapmyVDkvxwSj70zlk
=hYD1
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC