[Triumf-linux-managers] Second Bash patch for SL3,4
Andrew Daviel
advax at triumf.ca
Wed Oct 1 19:07:03 PDT 2014
On Thu, 25 Sep 2014, Andrew Daviel wrote:
> The original patch released by RedHat (bash-3.2-env-inject.patch)
> can be applied to RHEL 4 and RHEL 3 based systems fairly easily.
>
> I have done this for SL3 i386 and SL4 i386 and placed them in
> /triumfcs/mirror/triumf/legacy/bash == http://mirror/triumf/legacy/bash/
>
> To install, "yum localinstall" (preferred) or "rpm -U"
> You may need to add --force if RPM complains the current install is newer.
I have rebuilt bash for SL3 and SL4 with the second RedHat patch set, to
address CVE-2014-7169.
Viz. bash-2.05b-41.8ad.i386.rpm, bash-3.0-29ad.i386.rpm
I have bumped the minor version to ensure that this bash will not get
overwritten by "yum update" on SL4.
You should install these updates on any SL3 or SL4 machines which cannot
be retired.
The new patches are in the SRPMs; there were some minor adjustments
required.
This version fixes the vulnerability to:
$ rm -i date ; env -i X='() { (a)=>\' bash -c 'date' ; ls -l date
I can confirm experimentally that the earlier vulnerability CVE-2014-6271
( $ env x='() { :;}; echo vulnerable' bash -c "echo test" )
is exploitable in an Apache CGI script written in bash (or /bin/sh, which
is a link). This is rare but possible - I had a reverse traceroute utility
like this.
It is also exploitable in Perl CGI if "shell metacharacters" are used, in
which case bash is invoked, e.g.
system("date") ; is OK, but
system("date | wc") is not.
More information:
https://isc.sans.edu/diary/Shellshock%3A+Vulnerable+Systems+you+may+have+missed+and+how+to+move+forward/18721
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the Triumf-linux-managers
mailing list