Ubuntu
bash package

CVE-2014-7169 fix not effective on trusty

Bug #1374207 reported by Rey Tucker
302
This bug affects 8 people
Affects Status Importance Assigned to Milestone
bash (Ubuntu)
Invalid
Undecided
Marc Deslauriers
Lucid
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Marc Deslauriers
Utopic
Invalid
Undecided
Marc Deslauriers

Bug Description

I can reproduce the testcase from 1373781 with bash 4.3-7ubuntu1.2 on trusty. The patch did NOT fix it, unfortunately.

rtucker@racer-x:~$ rm -f echo && env -i X='() { (a)=>\' bash -c 'echo id'; cat echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
uid=1000(rtucker) gid=1000(rtucker) groups=1000(rtucker),4(adm),6(disk),24(cdrom),27(sudo),30(dip),46(plugdev),112(lpadmin),119(sambashare)
rtucker@racer-x:~$ bash --version
GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
rtucker@racer-x:~$ apt-cache policy bash
bash:
  Installed: 4.3-7ubuntu1.2
  Candidate: 4.3-7ubuntu1.2
  Version table:
 *** 4.3-7ubuntu1.2 0
        500 http://mirrors.linode.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://mirrors.linode.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     4.3-6ubuntu1 0
        500 http://mirrors.linode.com/ubuntu/ trusty/main amd64 Packages

precise does seem fixed, however:

rtucker@barleywine:~$ rm -f echo && env -i X='() { (a)=>\' bash -c 'echo id'; cat echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
id
cat: echo: No such file or directory
rtucker@barleywine:~$ bash --version
GNU bash, version 4.2.25(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
rtucker@barleywine:~$ apt-cache policy bash
bash:
  Installed: 4.2-2ubuntu2.3
  Candidate: 4.2-2ubuntu2.3
  Version table:
 *** 4.2-2ubuntu2.3 0
        500 http://mirrors.linode.com/ubuntu/ precise-updates/main amd64 Packages
        500 http://mirrors.linode.com/ubuntu/ precise-security/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     4.2-2ubuntu2 0
        500 http://mirrors.linode.com/ubuntu/ precise/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

Revision history for this message
Rey Tucker (rtucker) wrote :

This has been commented publicly on bug #1373781, and is also becoming common knowledge on IRC. Switching bug visibility to Public.

information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in bash (Ubuntu):
status: New → Confirmed
Revision history for this message
Harry Willis (hwillis19) wrote :

As per comment #5 on bug #1373781, the executables appear not to have been updated to their patched versions (forgot to recompile, I guess?) before the packages were generated.

Appears to be the case all bash and bash-static packages of the 4.3-7ubuntu1.2 ilk.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

There was a build issue with the Ubuntu 14.04 package, and I am in the process of fixing it now. An update will be released within the hour.

The other releases should be ok.

Changed in bash (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in bash (Ubuntu Lucid):
status: New → Fix Released
Changed in bash (Ubuntu Precise):
status: New → Fix Released
Changed in bash (Ubuntu Trusty):
status: New → In Progress
Changed in bash (Ubuntu Utopic):
status: Confirmed → In Progress
Changed in bash (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bash - 4.3-7ubuntu1.3

---------------
bash (4.3-7ubuntu1.3) trusty-security; urgency=medium

  * Updated debian/patches/CVE-2014-7169.diff to also patch y.tab.c in
    case it doesn't get regenerated when built (LP: #1374207)
 -- Marc Deslauriers <email address hidden> Thu, 25 Sep 2014 21:20:03 -0400

Changed in bash (Ubuntu Trusty):
status: In Progress → Fix Released
Revision history for this message
Mathew Hodson (mhodson) wrote :

Should we mark this report as a duplicate of bug #1373781?

Marc Deslauriers (mdeslaur)
Changed in bash (Ubuntu Utopic):
status: In Progress → Invalid
Revision history for this message
Mathew Hodson (mhodson) wrote :

Bug #1373781 is the one listed on the CVE page, http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7169

Revision history for this message
Thomas Muthmann (tmuthmann) wrote :

Fix does not work in every directory
Using Trusty and 4.3-7ubuntu1.3

sudo -i

cd /root
X='() { function a a>\' bash -c echo; [ -e echo ] && echo "hacked"

bash: X: line 1: syntax error near unexpected token `a'
bash: X: line 1: `'
bash: error importing function definition for `X'

hacked

cd /bin
X='() { function a a>\' bash -c echo; [ -e echo ] && echo "hacked"

bash: X: line 1: syntax error near unexpected token `a'
bash: X: line 1: `'
bash: error importing function definition for `X'

hacked

cd /usr/bin

X='() { function a a>\' bash -c echo; [ -e echo ] && echo "hacked"
bash: X: line 1: syntax error near unexpected token `a'
bash: X: line 1: `'
bash: error importing function definition for `X'

(not hacked)

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thomas, I'm not sure about your test -- there is a /bin/echo in the filesystem (from the coreutils package) so checking for a file named 'echo' in that directory is not indicative of any attack. I suspect you also have a /root/echo file, perhaps left over from earlier testing. If you do, please delete or rename /root/echo and test again. Be sure to test with a freshly-started bash shell, too.

Thanks

Revision history for this message
Thomas Muthmann (tmuthmann) wrote :

Hi Seth,
thanks to figuring this out so fast.
I had indeed a 0 bytes file /root/echo from an earlier test.
So my entry #8 can be discarded.
Thanks

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.