touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #21135
[Bug 1374207] Re: CVE-2014-7169 fix not effective on trusty
Hi Seth,
thanks to figuring this out so fast.
I had indeed a 0 bytes file /root/echo from an earlier test.
So my entry #8 can be discarded.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1374207
Title:
CVE-2014-7169 fix not effective on trusty
Status in “bash” package in Ubuntu:
Invalid
Status in “bash” source package in Lucid:
Fix Released
Status in “bash” source package in Precise:
Fix Released
Status in “bash” source package in Trusty:
Fix Released
Status in “bash” source package in Utopic:
Invalid
Bug description:
I can reproduce the testcase from 1373781 with bash 4.3-7ubuntu1.2 on
trusty. The patch did NOT fix it, unfortunately.
rtucker@racer-x:~$ rm -f echo && env -i X='() { (a)=>\' bash -c 'echo id'; cat echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
uid=1000(rtucker) gid=1000(rtucker) groups=1000(rtucker),4(adm),6(disk),24(cdrom),27(sudo),30(dip),46(plugdev),112(lpadmin),119(sambashare)
rtucker@racer-x:~$ bash --version
GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
rtucker@racer-x:~$ apt-cache policy bash
bash:
Installed: 4.3-7ubuntu1.2
Candidate: 4.3-7ubuntu1.2
Version table:
*** 4.3-7ubuntu1.2 0
500 http://mirrors.linode.com/ubuntu/ trusty-updates/main amd64 Packages
500 http://mirrors.linode.com/ubuntu/ trusty-security/main amd64 Packages
100 /var/lib/dpkg/status
4.3-6ubuntu1 0
500 http://mirrors.linode.com/ubuntu/ trusty/main amd64 Packages
precise does seem fixed, however:
rtucker@barleywine:~$ rm -f echo && env -i X='() { (a)=>\' bash -c 'echo id'; cat echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
id
cat: echo: No such file or directory
rtucker@barleywine:~$ bash --version
GNU bash, version 4.2.25(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
rtucker@barleywine:~$ apt-cache policy bash
bash:
Installed: 4.2-2ubuntu2.3
Candidate: 4.2-2ubuntu2.3
Version table:
*** 4.2-2ubuntu2.3 0
500 http://mirrors.linode.com/ubuntu/ precise-updates/main amd64 Packages
500 http://mirrors.linode.com/ubuntu/ precise-security/main amd64 Packages
500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
500 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
100 /var/lib/dpkg/status
4.2-2ubuntu2 0
500 http://mirrors.linode.com/ubuntu/ precise/main amd64 Packages
500 http://us.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1374207/+subscriptions