Bugzilla – Bug 898346
VUL-0: CVE-2014-7169: bash: incremental parsing fix for function environment issue
Last modified: 2019-05-01 16:21:17 UTC
via oss-sec an incremental problem in bash parsing was found https://twitter.com/taviso/status/514887394294652929 env X='() { (a)=>\' sh -c "echo date"; cat echo X='() { function a a>\' bash -c echo I can however not reproduce the reported issue, I get: sh: X: line 1: syntax error near unexpected token `=' sh: X: line 1: `'
Created attachment 607764 [details] eol-pushback.patch patch from Chat
There seems to be more ongoing work here, we will wait a bit to settle for final patches before doing a follow up release.
Affected packages: SLE-10-SP3-TERADATA: bash SLE-11-SP3: bash SLE-11-SP3-PRODUCTS: bash SLE-11-SP3-UPTU: bash SLE-12: bash
The issue is that you can still evaluate a environment variable function with the content of the first executed shell line appended. So still not well fixed.
Please again note this issue is NOT as severe as the original issue. Also follow up patches are in development and will result in a roll up bash update fixing them soonish.
This is an autogenerated message for OBS integration: This bug (898346) was mentioned in https://build.opensuse.org/request/show/252461 13.1 / bash https://build.opensuse.org/request/show/252465 12.3 / bash
testcase: X='() { function a a>\' bash -c echo afterwards there should be no "echo" file in the current directory.
In some cases you need to run exec bash after the update it might not be needed but it does not hurt too, just in case you still have the error.
MassPTFs for sles11-sp[123], built from SUSE:SLE-11-SP[123]:Update:Test/bash are available in bug 898762.
I've upgraded bash to the latest version of SLES-11-SP3. The problem is still there: Reproduce steps: ------------------------------------------------------------------------- shawn@shawn-fortress:/tmp # date -u > test_file shawn@shawn-fortress:/tmp # env X='() { (a)=<\' bash -c 'test_file cat' bash: X: line 1: syntax error near unexpected token `=' bash: X: line 1: `' bash: error importing function definition for `X' Sun Sep 28 16:38:43 UTC 2014 -------------------------------------------------------------------------
openSUSE-SU-2014:1229-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 898346,898603,898604 CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187 Sources used: openSUSE 12.3 (src): bash-4.2-61.15.1
openSUSE-SU-2014:1242-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 898346,898603,898604 CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187 Sources used: openSUSE 13.1 (src): bash-4.2-68.8.1
update is released
SUSE-SU-2014:1247-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 898346,898603,898604 CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): bash-3.2-147.22.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): bash-3.2-147.22.1 SUSE Linux Enterprise Server 11 SP3 (src): bash-3.2-147.22.1 SUSE Linux Enterprise Server 11 SP2 LTSS (src): bash-3.2-147.14.22.1 SUSE Linux Enterprise Server 11 SP1 LTSS (src): bash-3.2-147.14.22.1 SUSE Linux Enterprise Server 10 SP4 LTSS (src): bash-3.1-24.34.1 SUSE Linux Enterprise Server 10 SP3 LTSS (src): bash-3.1-24.34.1 SUSE Linux Enterprise Desktop 11 SP3 (src): bash-3.2-147.22.1
This is an autogenerated message for OBS integration: This bug (898346) was mentioned in https://build.opensuse.org/request/show/252744 Factory / bash
We need this patch, how can we get it?
This is an autogenerated message for OBS integration: This bug (898346) was mentioned in https://build.opensuse.org/request/show/252752 13.2 / bash
Hi, here is my personal story how I got ahold of this patch. Our customer is using SLES4SAP on servers that do not have access to an internet proxy. The customer does not have SMT so they had to download the patch from the internet. This happens to work because the packages do not have many dependencies. The long-term solution is to install an SMT proxy at the customer. * go to https://download.suse.com/patch/finder * "Product" -> SUSE Linux Enterprise Server * "Select Version" -> do NOT select "SUSE Linux Enterprise for SAP Applications 11 SP2 because this will only give you the patches SPECIFIC to SLES4SAP * do NOT select "SUSE Linux Enterprise Server 11 SP 2" because this is out-of-maintenance * select "SUSE Linux Enterprise Server 11 SP 2 LTSS". LTSS stands for long-term support. * download the files and install them with rpm -Uvh
We have enabled all-SLES access to our LTSS bash patches (10-SP3, 10-SP4, 11-SP1, 11-SP2) Follow the links on http://support.novell.com/security/cve/CVE-2014-7169.html to your service pack level and you should be able to manually download them there. if your product is not covered (older), open a ticket with our support team, they can provide you packages. (so basically what you describe above).
SUSE-SU-2014:1259-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 898346,898603,898604 CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): bash-4.2-81.1 SUSE Linux Enterprise Server 12 (src): bash-4.2-81.1 SUSE Linux Enterprise Desktop 12 (src): bash-4.2-81.1 12 (src): bash-4.2-81.1
Sorry, I put the wrong link: http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7169.html which is published on on Friday, they did upload the patch on Sat.
openSUSE-SU-2014:1308-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 896776,898346 CVE References: CVE-2014-6271,CVE-2014-7169,CVE-2014-7187 Sources used: openSUSE 12.3 (src): bash-4.2-61.19.1
This is an autogenerated message for OBS integration: This bug (898346) was mentioned in https://build.opensuse.org/request/show/259512 Factory / bash