CVE-2014-6277

Priority
Medium
Description
GNU Bash through 4.3 bash43-026 does not properly parse function
definitions in the values of environment variables, which allows remote
attackers to execute arbitrary code or cause a denial of service
(uninitialized memory access, and untrusted-pointer read and write
operations) via a crafted environment, as demonstrated by vectors involving
the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules
in the Apache HTTP Server, scripts executed by unspecified DHCP clients,
and other situations in which setting the environment occurs across a
privilege boundary from Bash execution. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.
References
Notes
 mdeslaur> this issue is mitigated by Florian Weimer's prefix-suffix patch
 mdeslaur> that is included in https://usn.ubuntu.com/usn/usn-2364-1/
 mdeslaur> since bash parser vulnerabilities are now limited to specially
 mdeslaur> named environment variables, and as such are no longer directly
 mdeslaur> exposed to CGI scripts, SSH, etc.
 mdeslaur>
 mdeslaur> Once an upstream patch is made available, we will release bash
 mdeslaur> updates, but we don't consider this to be a critical issue
 mdeslaur> requiring immediate attention.
Assigned-to
mdeslaur
Package
Source: bash (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 14.04 LTS (Trusty Tahr):released (4.3-7ubuntu1.5)
More Information

Updated: 2017-12-15 20:33:45 UTC (commit 13913)