Re: CVE-2014-6271: remote code execution through bash

[Solar Designer <solar () openwall com>]

Chet,

On Thu, Sep 25, 2014 at 09:07:07PM -0400, Chet Ramey wrote:
> On 9/24/14, 9:30 PM, Solar Designer wrote:
> > On Wed, Sep 24, 2014 at 06:26:53PM -0700, Anthony Liguori wrote:
> > > On Wed, Sep 24, 2014 at 6:23 PM, Chet Ramey <chet.ramey () case edu> wrote:
> > > > On 9/24/14, 5:32 PM, Solar Designer wrote:
> > > > > On Wed, Sep 24, 2014 at 11:27:09PM +0200, Hanno B??ck wrote:
> > > > > > Tavis Ormandy just tweetet this:
> > > > > > https://twitter.com/taviso/status/514887394294652929
> > > > > >
> > > > > > The bash patch seems incomplete to me, function parsing is still
> > > > > > brittle. e.g. $ env X='() { (a)=>\' sh -c "echo date"; cat echo
> > > > >
> > > > > Thanks for bringing this to oss-security.  I've added CC to Chet and
> > > > > Tavis on this "reply".
> > > >
> > > > I have a fix for this.
> > >
> > > Can you provide a pointer to the patch?  I put together a patch that
> > > changed the report_error() to fatal_error() as I wasn't able to see
> > > how to reset the parser state.  Was just about to send it out...
>
> I have positive confirmation that this patch works, so here are patches for
> bash versions bash-2.05b to bash-4.3.
>
> I will probably push these out tomorrow.

Since these patches look final and are updating the bash patchlevel
number, is it OK for distros to use them as-is, with the patchlevel
number update already?

They are not yet on ftp.gnu.org.  BTW, I notice that your earlier
bash 2.05b patch isn't there, either.

And while I am at it - thank you for providing detached signatures for
bash patches!  This is something the VIM project fails at, whereas you
do it right.  Appreciated!

Alexander