GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Wed Sep 24, 2014 11:26 pm Post subject: [ GLSA 201409-09 ] Bash: Code Injection |
 |
|
Gentoo Linux Security Advisory
Title: Bash: Code Injection (GLSA 201409-09)
Severity: high
Exploitable: local, remote
Date: September 24, 2014
Updated: October 04, 2014
Bug(s): #523592
ID: 201409-09
Synopsis
A parsing flaw related to functions and environments in Bash could
allow attackers to inject code.
Background
Bash is the standard GNU Bourne Again SHell.
Affected Packages
Package: app-shells/bash
Vulnerable: < 4.2_p48
Unaffected: >= 3.1_p18 < 3.2
Unaffected: >= 3.2_p52 < 3.3
Unaffected: >= 4.0_p39 < 4.1
Unaffected: >= 4.1_p12 < 4.2
Unaffected: >= 4.2_p48
Architectures: All supported architectures
Description
Stephane Chazelas reported that Bash incorrectly handles function
definitions, allowing attackers to inject arbitrary code.
Impact
A remote attacker could exploit this vulnerability to execute arbitrary
commands even in restricted environments.
Workaround
There is no known workaround at this time.
Resolution
All Bash 3.1 users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-shells/bash-3.1_p18:3.1"
|
All Bash 3.2 users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-shells/bash-3.2_p52:3.2"
|
All Bash 4.0 users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-shells/bash-4.0_p39:4.0"
|
All Bash 4.1 users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-shells/bash-4.1_p12:4.1"
|
All Bash 4.2 users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-shells/bash-4.2_p48"
|
References
CVE-2014-6271
Last edited by GLSA on Sun Oct 05, 2014 4:34 am; edited 1 time in total |
|
News & Announcements
