Re: CVE-2014-7169 vs CVE-2014-6271

[Eric Blake]

On 09/26/2014 02:57 PM, Alan Wild wrote:
> I want to apologize for adding more confusion to this issue.  My statements
> about CVE-2014-7169 where incorrect and misguided.  This change does not
> remove function exporting but only changes how the function names are
> encoded as variable names.

Actually, Chet's fix for CVE-2014-7169 (patch 26, mentioned here:
http://www.openwall.com/lists/oss-security/2014/09/26/1) does NOT change
how function names are encoded; that is a separate patch (such as this
one that Red Hat is using:
http://www.openwall.com/lists/oss-security/2014/09/25/13).  I'm hoping
that Chet will accept the direction that Red Hat has already decided to
go and issue patch 27 as a result, but that is still under discussion.

But yes, it means that the market is now fragmented - upstream bash and
Red Hat bash currently use DIFFERENT syntax for converting raw exports
into functions.  Please read Red Hat's knowledge base article:
https://access.redhat.com/articles/1200223


> If it helps reduce the confusion, machines with the older bash releases or
> CVE-2014-6271 would export a function as follows:
> 
> -bash-3.2$ bash -c 'x() { echo "functions still work" "$@"; }; export -f x;
> env | egrep "functions still work"'
> x=() {  echo "functions still work" "$@"
> but after the patch you get

By "the patch", you are here referring to Red Hat's patch, not Chet's.

> 
> -bash-3.2$ bash -c 'x() { echo "functions still work" "$@"; }; export -f x;
> env | egrep "functions still work"'
> BASH_FUNC_x()=() {  echo "functions still work" "$@"

Correct, this is symptomatic of a Red Hat build.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

signature.asc
Description: OpenPGP digital signature