New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Verified
Owner:
Closed: Oct 2014
Cc:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security



Sign in to add a comment
Security: code execution via bash environment variables
Project Member Reported by jorgelo@chromium.org, Sep 24 2014 Back to list
Comment 1 by leecam@chromium.org, Sep 24 2014
Cc: leecam@chromium.org
Project Member Comment 2 by bugdroid1@chromium.org, Sep 25 2014
Project: chromiumos/overlays/portage-stable
Branch : master
Author : Mike Frysinger <vapier@chromium.org>
Commit : dbd5f4fbce5327d79eb873cf931a2ff5e815bcf8

Code-Review  0 : Mike Frysinger, chrome-internal-fetch
Code-Review  +2: Jorge Lucangeli Obes
Commit-Queue 0 : Jorge Lucangeli Obes, chrome-internal-fetch
Commit-Queue +1: Mike Frysinger
Verified     0 : Jorge Lucangeli Obes, chrome-internal-fetch
Verified     +1: Mike Frysinger
Change-Id      : Ia51e1adf14ef8d64fa3a96a24f29a0ea6b5d7443
Reviewed-at    : https://chromium-review.googlesource.com/219750

bash: backport upstream security fix

BUG= chromium:417329 
TEST=`VAR="() { ignored; }; /usr/bin/id" bash` no longer runs `id`

app-shells/bash/bash-4.2_p45-r2.ebuild
app-shells/bash/bash-4.2_p45.ebuild
app-shells/bash/files/bash-4.2-bash43-025.patch
Comment 3 by vapier@chromium.org, Sep 25 2014
Cc: benhenry@chromium.org dharani@chromium.org josa...@chromium.org
Labels: Merge-Requested
Status: Started
not sure if we're cutting M37 anymore, so i only posted a CL for M38
Labels: -Merge-Requested Merge-Approved
We are not doing anymore M37. Merge approved for M38.
Project Member Comment 5 by bugdroid1@chromium.org, Sep 25 2014
Project: chromiumos/overlays/portage-stable
Branch : release-R38-6158.B
Author : Mike Frysinger <vapier@chromium.org>
Commit : 91e86f7492d5bd24a57c9842db579fbec4bfd993

Code-Review  0 : Mike Frysinger, chrome-internal-fetch
Code-Review  +2: Jorge Lucangeli Obes
Commit-Queue 0 : Jorge Lucangeli Obes, chrome-internal-fetch
Commit-Queue +1: Mike Frysinger
Verified     0 : Jorge Lucangeli Obes, chrome-internal-fetch
Verified     +1: Mike Frysinger
Change-Id      : Ia51e1adf14ef8d64fa3a96a24f29a0ea6b5d7443
Reviewed-at    : https://chromium-review.googlesource.com/219754

bash: backport upstream security fix

BUG= chromium:417329 
TEST=`VAR="() { ignored; }; /usr/bin/id" bash` no longer runs `id`

Previous-Reviewed-on: https://chromium-review.googlesource.com/219750
(cherry picked from commit dbd5f4fbce5327d79eb873cf931a2ff5e815bcf8)

app-shells/bash/bash-4.2_p45-r2.ebuild
app-shells/bash/bash-4.2_p45.ebuild
app-shells/bash/files/bash-4.2-bash43-025.patch
Comment 6 by leecam@chromium.org, Sep 25 2014
Quote from Tavis on Twitter :) 

"The bash patch seems incomplete to me, function parsing is still brittle. e.g. $ env X='() { (a)=>\' sh -c "echo date"; cat echo"

Are we sure the upstream patch is any good?
The current patch blocks appending commands to function definitions. It does not remove the function definition feature in bash. This removes the immediate threat, but there's a lot of code that's still exposed.

http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html for context.
Comment 8 by vapier@chromium.org, Sep 25 2014
right, exporting funcs via the env is a bash feature.  deleting it entirely isn't an option.

wrt upstream patch status, i'm not about to go diving in to the bash source and trying to fix the parser myself.  that's a huge codebase with no real unittests.  we can wait for Chet to post an updated patch.
Once we push the update with the bash fix, I think we can call this fixed. Exposure in CrOS was low to begin with.

If a new patch surfaces, we can add it to ToT.
the parsing logic Tavis pointed out is that you can still execute arbitrary commands and redirect the output to a file.

 env X='() { (a)=>\' sh -c "echo date"

this runs `date` and writes the output to a file named "echo".  to get back to the original example:

 env X='() { (a)=>\' sh -c "/dev/stdout /bin/id; date"

that'll run `id` and `date` and write the output to /dev/stdout.
Yeah, it's pretty clear the patch is incomplete. I don't think this should block shipping the updated M-38.
Labels: -Merge-Approved Merge-Merged
Project Member Comment 13 by bugdroid1@chromium.org, Sep 30 2014
Project: chromiumos/overlays/portage-stable
Branch : master
Author : Mike Frysinger <vapier@chromium.org>
Commit : 55046f236d8f112b009414a04bec36f3bfb6759d

Code-Review  0 : Mike Frysinger, chrome-internal-fetch
Code-Review  +2: Jorge Lucangeli Obes
Commit-Queue 0 : Jorge Lucangeli Obes, chrome-internal-fetch
Commit-Queue +1: Mike Frysinger
Verified     0 : Jorge Lucangeli Obes, chrome-internal-fetch
Verified     +1: Mike Frysinger
Change-Id      : Idc1be24910a9b991156f290d1dcefc64202385cd
Reviewed-at    : https://chromium-review.googlesource.com/220190

bash: upgraded package to upstream

Upgraded app-shells/bash to version 4.2_p48-r1 for all.

Also apply Redhat patches:
	bash-4.2-redhat-func-export.patch
	bash-4.2-redhat-here-docs-stack.patch

BUG= chromium:417329 
TEST=`env X='() { (a)=>\' bash -c "/dev/stdin date"` no longer shows the date
TEST=`cbuildbot amd64-generic-full` passes

app-shells/bash/Manifest
app-shells/bash/bash-4.2_p45-r2.ebuild
app-shells/bash/bash-4.2_p48-r1.ebuild
app-shells/bash/files/bash-4.2-bash43-025.patch
app-shells/bash/files/bash-4.2-read-retry.patch
app-shells/bash/files/bash-4.2-redhat-func-export.patch
app-shells/bash/files/bash-4.2-redhat-here-docs-stack.patch
app-shells/bash/files/bash-eol-pushback.patch
app-shells/bash/files/bashrc
metadata/md5-cache/app-shells/bash-4.2_p45
metadata/md5-cache/app-shells/bash-4.2_p45-r2
Project Member Comment 14 by bugdroid1@chromium.org, Sep 30 2014
Project: chromiumos/overlays/portage-stable
Branch : release-R38-6158.B
Author : Mike Frysinger <vapier@chromium.org>
Commit : dfa6f7898aa2df1b82c86b35ecbdb430609a82c0

Code-Review  0 : Mike Frysinger, chrome-internal-fetch
Code-Review  +2: Jorge Lucangeli Obes
Commit-Queue 0 : Jorge Lucangeli Obes, chrome-internal-fetch
Commit-Queue +1: Mike Frysinger
Verified     0 : Jorge Lucangeli Obes, chrome-internal-fetch
Verified     +1: Mike Frysinger
Change-Id      : Idc1be24910a9b991156f290d1dcefc64202385cd
Reviewed-at    : https://chromium-review.googlesource.com/220353

bash: upgraded package to upstream

Upgraded app-shells/bash to version 4.2_p48-r1 for all.

Also apply Redhat patches:
	bash-4.2-redhat-func-export.patch
	bash-4.2-redhat-here-docs-stack.patch

BUG= chromium:417329 
TEST=`env X='() { (a)=>\' bash -c "/dev/stdin date"` no longer shows the date
TEST=`cbuildbot amd64-generic-full` passes

Previous-Reviewed-on: https://chromium-review.googlesource.com/220190
(cherry picked from commit 55046f236d8f112b009414a04bec36f3bfb6759d)

app-shells/bash/Manifest
app-shells/bash/bash-4.2_p45-r2.ebuild
app-shells/bash/bash-4.2_p48-r1.ebuild
app-shells/bash/files/bash-4.2-bash43-025.patch
app-shells/bash/files/bash-4.2-read-retry.patch
app-shells/bash/files/bash-4.2-redhat-func-export.patch
app-shells/bash/files/bash-4.2-redhat-here-docs-stack.patch
app-shells/bash/files/bash-eol-pushback.patch
app-shells/bash/files/bashrc
metadata/md5-cache/app-shells/bash-4.2_p45
metadata/md5-cache/app-shells/bash-4.2_p45-r2
Project Member Comment 15 by bugdroid1@chromium.org, Sep 30 2014
Labels: M-39
Project: chromiumos/overlays/portage-stable
Branch : release-R39-6310.B
Author : Mike Frysinger <vapier@chromium.org>
Commit : 8b0097746ea2346fa54151ea8f8b55794f23f0fd

Code-Review  0 : Mike Frysinger, chrome-internal-fetch
Code-Review  +2: Jorge Lucangeli Obes
Commit-Queue 0 : Jorge Lucangeli Obes, chrome-internal-fetch
Commit-Queue +1: Mike Frysinger
Verified     0 : Jorge Lucangeli Obes, chrome-internal-fetch
Verified     +1: Mike Frysinger
Change-Id      : Idc1be24910a9b991156f290d1dcefc64202385cd
Reviewed-at    : https://chromium-review.googlesource.com/220352

bash: upgraded package to upstream

Upgraded app-shells/bash to version 4.2_p48-r1 for all.

Also apply Redhat patches:
	bash-4.2-redhat-func-export.patch
	bash-4.2-redhat-here-docs-stack.patch

BUG= chromium:417329 
TEST=`env X='() { (a)=>\' bash -c "/dev/stdin date"` no longer shows the date
TEST=`cbuildbot amd64-generic-full` passes

Previous-Reviewed-on: https://chromium-review.googlesource.com/220190
(cherry picked from commit 55046f236d8f112b009414a04bec36f3bfb6759d)

app-shells/bash/Manifest
app-shells/bash/bash-4.2_p45-r2.ebuild
app-shells/bash/bash-4.2_p48-r1.ebuild
app-shells/bash/files/bash-4.2-bash43-025.patch
app-shells/bash/files/bash-4.2-read-retry.patch
app-shells/bash/files/bash-4.2-redhat-func-export.patch
app-shells/bash/files/bash-4.2-redhat-here-docs-stack.patch
app-shells/bash/files/bash-eol-pushback.patch
app-shells/bash/files/bashrc
metadata/md5-cache/app-shells/bash-4.2_p45
metadata/md5-cache/app-shells/bash-4.2_p45-r2
Cc: ahumesky@chromium.org
ref b/17643121
Labels: -Security_Severity-Medium Security_Severity-Low
Status: Fixed
Lowering this to low since Chrome OS uses dash everywhere, except for crosh which has to be manually started.
Comment 18 by jln@chromium.org, Oct 15 2014
Cc: stads@google.com
Labels: Release-0-M39
Project Member Comment 20 by ClusterFuzz, Jan 13 2015
Labels: -Restrict-View-SecurityTeam
Bulk update: removing view restriction from closed bugs.
Labels: VerifyIn-42
Comment 22 by krisr@chromium.org, Feb 27 2015
Status: Verified
Project Member Comment 23 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 24 by sheriffbot@chromium.org, Oct 1 2016
Labels: Restrict-View-SecurityNotify
Project Member Comment 25 by sheriffbot@chromium.org, Oct 2 2016
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment