Project

General

Profile

Security - 4.2 0002 - BASH (aka shellshock) vulnerability - CVE-2014-[6271/6277/6278/7169/7186/7187]

Added by My Self over 6 years ago

I've executed the following line within the Terminal Emulator:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
which shows that the Replicant / Android BASH is also vulnerable to the security issues:
CVE-2014-6271 (aka "Shellshock"): https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
CVE-2014-7169 : https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

I've tested the patched BASH from XDA developers with success (= not vulnerable anymore).
More informations here: http://www.xda-developers.com/android/bash-patched-shellshock-vulnerability/
The source code here: https://github.com/3lo0sh/bash-arm

I've noticed that CyanogenMod also provides patches for that two issues here:
https://github.com/CyanogenMod/android_external_bash/commit/1392e41109f3dbae276726ae0af1f15c87829df5
https://github.com/CyanogenMod/android_external_bash/commit/58b59146c7cfd39b08f13fe829c7a269c61fe7f4
which could probably easy to merge within Replicant, I'd like to please you - the Replicant developers - to do.

Thanks in advance for any support.


Replies (3)

RE: Security - 4.2 0002 - BASH vulnerability? (CVE-2014-6271 & CVE-2014-7169) - Added by Paul Kocialkowski over 6 years ago

which could probably easy to merge within Replicant, I'd like to please you - the Replicant developers - to do.

We've done that a few days ago already: https://gitorious.org/replicant/external_bash/commits/64368c6fd95e4f749e6133398ad4d5fce3c9b940

We'll be releasing a new set of images soon.

RE: Security - 4.2 0002 - BASH vulnerability? (CVE-2014-6271 & CVE-2014-7169) - Added by My Self over 6 years ago

Thanks for your fast reply and that valuable information!

AFAIK there exist some more issues to make the BASH "shellshockable":
https://access.redhat.com/security/cve/CVE-2014-7186
https://access.redhat.com/security/cve/CVE-2014-7187
https://access.redhat.com/security/cve/CVE-2014-6278

Probably there'll come some further patches for this issues up, like advertised here:
https://jira.cyanogenmod.org/browse/CYAN-5594

I hope you also see the necessity to merge that (upcoming) patches, too.

Thanks again for all your work!

RE: Security - 4.2 0002 - BASH vulnerability? (CVE-2014-6271 & CVE-2014-7169) - Added by My Self over 6 years ago

I've researched a bit and the 4 further patches are already available:

Issues:
https://access.redhat.com/security/cve/CVE-2014-7186
https://access.redhat.com/security/cve/CVE-2014-7187
https://access.redhat.com/security/cve/CVE-2014-6277
https://access.redhat.com/security/cve/CVE-2014-6278
Patches:
https://github.com/CyanogenMod/android_external_bash/commit/027626f9f273edf1c435c223f93768ec6dcc5301
https://github.com/CyanogenMod/android_external_bash/commit/bd2cb35e07e5cef774220e8b57bace207f162e50
https://github.com/CyanogenMod/android_external_bash/commit/369692c969182053c3a8f81775fa022934e3bd95
https://github.com/CyanogenMod/android_external_bash/commit/658bb3b21b2923f5e37dfe1ae2262fac5297d1af

Hope you'll merge them, too (before the 4.2 0003 images will be released).

[UPDATE]
Like I said, I'm using:
https://github.com/3lo0sh/bash-arm
in the meanwhile. This brings a fully patched BASH 4.3.30 to my Replicant installation. I've tested that my bash installation isn't vulnerable to all 6 CVEs listed above anymore with the following script:
https://github.com/hannob/bashcheck/blob/master/bashcheck
I just had to change the first line from this:
#!/bin/bash
to that:
#!/system/xbin/bash

I executed it over Terminal Emulator app (as root) this way:
su
chmod +x /storage/{path_to_the_script}/bashcheck
. /storage/{path_to_the_script}/bashcheck

So my final question is, would it be (alternatively) possible to push the Replicant BASH version up to >= v4.3.30; for example with the help of the github repository above?

    (1-3/3)