CVE-2014-6278

Priority
Medium
Description
GNU Bash through 4.3 bash43-026 does not properly parse function
definitions in the values of environment variables, which allows remote
attackers to execute arbitrary commands via a crafted environment, as
demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd,
the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts
executed by unspecified DHCP clients, and other situations in which setting
the environment occurs across a privilege boundary from Bash execution.
NOTE: this vulnerability exists because of an incomplete fix for
CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
References
Notes
 mdeslaur> this issue is mitigated by Florian Weimer's prefix-suffix patch
 mdeslaur> that is included in https://usn.ubuntu.com/usn/usn-2364-1/
 mdeslaur> since bash parser vulnerabilities are now limited to specially
 mdeslaur> named environment variables, and as such are no longer directly
 mdeslaur> exposed to CGI scripts, SSH, etc.
 mdeslaur>
 mdeslaur> Once an upstream patch is made available, we will release bash
 mdeslaur> updates, but we don't consider this to be a critical issue
 mdeslaur> requiring immediate attention.
Assigned-to
mdeslaur
Package
Source: bash (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 14.04 LTS (Trusty Tahr):released (4.3-7ubuntu1.5)
More Information

Updated: 2017-12-15 20:33:45 UTC (commit 13913)