FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

bash -- remote code execution vulnerability

Affected packages
3.0 < bash <= 3.0.17
3.1 < bash <= 3.1.18
3.2 < bash <= 3.2.52
4.0 < bash <= 4.0.39
4.1 < bash <= 4.1.12
4.2 < bash <= 4.2.48
4.3 < bash < 4.3.25_1
3.0 < bash-static <= 3.0.17
3.1 < bash-static <= 3.1.18
3.2 < bash-static <= 3.2.52
4.0 < bash-static <= 4.0.39
4.1 < bash-static <= 4.1.12
4.2 < bash-static <= 4.2.48
4.3 < bash-static < 4.3.25_1
linux_base-c6 < 6.5_1

Details

VuXML ID 71ad81da-4414-11e4-a33e-3c970e169bc2
Discovery 2014-09-24
Entry 2014-09-24
Modified 2014-09-25

Chet Ramey reports:

Under certain circumstances, bash will execute user code while processing the environment for exported function definitions.

The original fix released for CVE-2014-6271 was not adequate. A similar vulnerability was discovered and tagged as CVE-2014-7169.

References

CVE Name CVE-2014-6271
CVE Name CVE-2014-7169
URL http://seclists.org/oss-sec/2014/q3/690
URL https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00081.html
URL https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/