Bash security vulnerabilities - Question for master

Openembedded Core Discussions
 help / color / mirror / Atom feed

* Bash security vulnerabilities - Question for master
@ 2014-10-02 14:48 Mark Hatle
  2014-10-02 15:13 ` Paul Eggleton
  0 siblings, 1 reply; 4+ messages in thread
From: Mark Hatle @ 2014-10-02 14:48 UTC (permalink / raw)
  To: Patches and discussions about the oe-core layer

With the recent vulnerabilities, a bunch of patches are being sent up to the 
list.  The content is generally fine, but I'm wondering if for master we should 
apply all of the official bash patches to get to the latest patch version, 
instead of applying various 'security' fixes that may or may not be the official 
version.

For instance, bash_4.3:

SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
[followed by a bunch of local patches]
"

ncftp .../bash/bash-4.3-patches > ls
bash43-001        bash43-004.sig    bash43-008        bash43-011.sig 
bash43-015        bash43-018.sig    bash43-022        bash43-025.sig
bash43-001.sig    bash43-005        bash43-008.sig    bash43-012 
bash43-015.sig    bash43-019        bash43-022.sig    bash43-026
bash43-002        bash43-005.sig    bash43-009        bash43-012.sig 
bash43-016        bash43-019.sig    bash43-023        bash43-026.sig
bash43-002.sig    bash43-006        bash43-009.sig    bash43-013 
bash43-016.sig    bash43-020        bash43-023.sig    bash43-027
bash43-003        bash43-006.sig    bash43-010        bash43-013.sig 
bash43-017        bash43-020.sig    bash43-024        bash43-027.sig
bash43-003.sig    bash43-007        bash43-010.sig    bash43-014 
bash43-017.sig    bash43-021        bash43-024.sig    bash43-028
bash43-004        bash43-007.sig    bash43-011        bash43-014.sig 
bash43-018        bash43-021.sig    bash43-025        bash43-028.sig

The community has 28 patches for various bugs (and these security issues) 
posted.  Would it make sense to update to bash 4.3 (28)?

In our bash 3.2.48:

SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \

${GNU_MIRROR}/bash/bash-3.2-patches/bash32-049;apply=yes;striplevel=0;name=patch001 
\

${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=patch002 
\

${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=patch003 
\
...
"

Some of the upstream items are applied, but I'm wondering if we should extend 
that to patch level 55 (the latest) in the same way.

Both patch level 4.3 - 28 and 3.2.48 - 55 will apply all of the fixes that keep 
getting submitted plus a set of other general bugs.  It will also make it easier 
for security scanners to simply check the version and know the right fixes have 
been applied.

(Note, there will be at least one more patch coming out that fixes a few more 
defects according to the mailing lists.  I expect it today or tomorrow.)

--Mark

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Bash security vulnerabilities - Question for master
  2014-10-02 14:48 Bash security vulnerabilities - Question for master Mark Hatle
@ 2014-10-02 15:13 ` Paul Eggleton
  2014-10-02 15:48   ` Mark Hatle
  0 siblings, 1 reply; 4+ messages in thread
From: Paul Eggleton @ 2014-10-02 15:13 UTC (permalink / raw)
  To: Mark Hatle; +Cc: openembedded-core

On Thursday 02 October 2014 09:48:29 Mark Hatle wrote:
> With the recent vulnerabilities, a bunch of patches are being sent up to the
> list.  The content is generally fine, but I'm wondering if for master we
> should apply all of the official bash patches to get to the latest patch
> version, instead of applying various 'security' fixes that may or may not
> be the official version.
> 
> For instance, bash_4.3:
> 
> SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
> [followed by a bunch of local patches]
> "
> 
> ncftp .../bash/bash-4.3-patches > ls
> bash43-001        bash43-004.sig    bash43-008        bash43-011.sig
> bash43-015        bash43-018.sig    bash43-022        bash43-025.sig
> bash43-001.sig    bash43-005        bash43-008.sig    bash43-012
> bash43-015.sig    bash43-019        bash43-022.sig    bash43-026
> bash43-002        bash43-005.sig    bash43-009        bash43-012.sig
> bash43-016        bash43-019.sig    bash43-023        bash43-026.sig
> bash43-002.sig    bash43-006        bash43-009.sig    bash43-013
> bash43-016.sig    bash43-020        bash43-023.sig    bash43-027
> bash43-003        bash43-006.sig    bash43-010        bash43-013.sig
> bash43-017        bash43-020.sig    bash43-024        bash43-027.sig
> bash43-003.sig    bash43-007        bash43-010.sig    bash43-014
> bash43-017.sig    bash43-021        bash43-024.sig    bash43-028
> bash43-004        bash43-007.sig    bash43-011        bash43-014.sig
> bash43-018        bash43-021.sig    bash43-025        bash43-028.sig
> 
> The community has 28 patches for various bugs (and these security issues)
> posted.  Would it make sense to update to bash 4.3 (28)?
> 
> In our bash 3.2.48:
> 
> SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
> 
> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-049;apply=yes;striplevel=0;name=p
> atch001 \
> 
> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=p
> atch002 \
> 
> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=p
> atch003 \
> ...
> "
> 
> Some of the upstream items are applied, but I'm wondering if we should
> extend that to patch level 55 (the latest) in the same way.
> 
> Both patch level 4.3 - 28 and 3.2.48 - 55 will apply all of the fixes that
> keep getting submitted plus a set of other general bugs.  It will also make
> it easier for security scanners to simply check the version and know the
> right fixes have been applied.

FWIW, I'm inclined to agree - given the severity and high profile of these 
issues I think we should patch up to the latest patchlevel. Do we have enough 
tests to mitigate any risk of doing that for the 1.7 release, given how late 
we are in the release cycle?

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Bash security vulnerabilities - Question for master
  2014-10-02 15:13 ` Paul Eggleton
@ 2014-10-02 15:48   ` Mark Hatle
  2014-10-02 19:06     ` Otavio Salvador
  0 siblings, 1 reply; 4+ messages in thread
From: Mark Hatle @ 2014-10-02 15:48 UTC (permalink / raw)
  To: Paul Eggleton; +Cc: openembedded-core

On 10/2/14, 10:13 AM, Paul Eggleton wrote:
> On Thursday 02 October 2014 09:48:29 Mark Hatle wrote:
>> With the recent vulnerabilities, a bunch of patches are being sent up to the
>> list.  The content is generally fine, but I'm wondering if for master we
>> should apply all of the official bash patches to get to the latest patch
>> version, instead of applying various 'security' fixes that may or may not
>> be the official version.
>>
>> For instance, bash_4.3:
>>
>> SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
>> [followed by a bunch of local patches]
>> "
>>
>> ncftp .../bash/bash-4.3-patches > ls
>> bash43-001        bash43-004.sig    bash43-008        bash43-011.sig
>> bash43-015        bash43-018.sig    bash43-022        bash43-025.sig
>> bash43-001.sig    bash43-005        bash43-008.sig    bash43-012
>> bash43-015.sig    bash43-019        bash43-022.sig    bash43-026
>> bash43-002        bash43-005.sig    bash43-009        bash43-012.sig
>> bash43-016        bash43-019.sig    bash43-023        bash43-026.sig
>> bash43-002.sig    bash43-006        bash43-009.sig    bash43-013
>> bash43-016.sig    bash43-020        bash43-023.sig    bash43-027
>> bash43-003        bash43-006.sig    bash43-010        bash43-013.sig
>> bash43-017        bash43-020.sig    bash43-024        bash43-027.sig
>> bash43-003.sig    bash43-007        bash43-010.sig    bash43-014
>> bash43-017.sig    bash43-021        bash43-024.sig    bash43-028
>> bash43-004        bash43-007.sig    bash43-011        bash43-014.sig
>> bash43-018        bash43-021.sig    bash43-025        bash43-028.sig
>>
>> The community has 28 patches for various bugs (and these security issues)
>> posted.  Would it make sense to update to bash 4.3 (28)?
>>
>> In our bash 3.2.48:
>>
>> SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
>>
>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-049;apply=yes;striplevel=0;name=p
>> atch001 \
>>
>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=p
>> atch002 \
>>
>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=p
>> atch003 \
>> ...
>> "
>>
>> Some of the upstream items are applied, but I'm wondering if we should
>> extend that to patch level 55 (the latest) in the same way.
>>
>> Both patch level 4.3 - 28 and 3.2.48 - 55 will apply all of the fixes that
>> keep getting submitted plus a set of other general bugs.  It will also make
>> it easier for security scanners to simply check the version and know the
>> right fixes have been applied.
>
> FWIW, I'm inclined to agree - given the severity and high profile of these
> issues I think we should patch up to the latest patchlevel. Do we have enough
> tests to mitigate any risk of doing that for the 1.7 release, given how late
> we are in the release cycle?

I think between the ptest and normal system integration testing, we have enough 
tests to mitigate the risks.  Plus the patches themselves are heavily tested by 
the [bash] community and the official changes, so I think it's significantly 
less likely they will introduce issues.

--Mark

> Cheers,
> Paul
>



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Bash security vulnerabilities - Question for master
  2014-10-02 15:48   ` Mark Hatle
@ 2014-10-02 19:06     ` Otavio Salvador
  0 siblings, 0 replies; 4+ messages in thread
From: Otavio Salvador @ 2014-10-02 19:06 UTC (permalink / raw)
  To: Mark Hatle; +Cc: Paul Eggleton, Patches and discussions about the oe-core layer

On Thu, Oct 2, 2014 at 12:48 PM, Mark Hatle <mark.hatle@windriver.com> wrote:
> On 10/2/14, 10:13 AM, Paul Eggleton wrote:
>>
>> On Thursday 02 October 2014 09:48:29 Mark Hatle wrote:
>>>
>>> With the recent vulnerabilities, a bunch of patches are being sent up to
>>> the
>>> list.  The content is generally fine, but I'm wondering if for master we
>>> should apply all of the official bash patches to get to the latest patch
>>> version, instead of applying various 'security' fixes that may or may not
>>> be the official version.
>>>
>>> For instance, bash_4.3:
>>>
>>> SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
>>> [followed by a bunch of local patches]
>>> "
>>>
>>> ncftp .../bash/bash-4.3-patches > ls
>>> bash43-001        bash43-004.sig    bash43-008        bash43-011.sig
>>> bash43-015        bash43-018.sig    bash43-022        bash43-025.sig
>>> bash43-001.sig    bash43-005        bash43-008.sig    bash43-012
>>> bash43-015.sig    bash43-019        bash43-022.sig    bash43-026
>>> bash43-002        bash43-005.sig    bash43-009        bash43-012.sig
>>> bash43-016        bash43-019.sig    bash43-023        bash43-026.sig
>>> bash43-002.sig    bash43-006        bash43-009.sig    bash43-013
>>> bash43-016.sig    bash43-020        bash43-023.sig    bash43-027
>>> bash43-003        bash43-006.sig    bash43-010        bash43-013.sig
>>> bash43-017        bash43-020.sig    bash43-024        bash43-027.sig
>>> bash43-003.sig    bash43-007        bash43-010.sig    bash43-014
>>> bash43-017.sig    bash43-021        bash43-024.sig    bash43-028
>>> bash43-004        bash43-007.sig    bash43-011        bash43-014.sig
>>> bash43-018        bash43-021.sig    bash43-025        bash43-028.sig
>>>
>>> The community has 28 patches for various bugs (and these security issues)
>>> posted.  Would it make sense to update to bash 4.3 (28)?
>>>
>>> In our bash 3.2.48:
>>>
>>> SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
>>>
>>>
>>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-049;apply=yes;striplevel=0;name=p
>>> atch001 \
>>>
>>>
>>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=p
>>> atch002 \
>>>
>>>
>>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=p
>>> atch003 \
>>> ...
>>> "
>>>
>>> Some of the upstream items are applied, but I'm wondering if we should
>>> extend that to patch level 55 (the latest) in the same way.
>>>
>>> Both patch level 4.3 - 28 and 3.2.48 - 55 will apply all of the fixes
>>> that
>>> keep getting submitted plus a set of other general bugs.  It will also
>>> make
>>> it easier for security scanners to simply check the version and know the
>>> right fixes have been applied.
>>
>>
>> FWIW, I'm inclined to agree - given the severity and high profile of these
>> issues I think we should patch up to the latest patchlevel. Do we have
>> enough
>> tests to mitigate any risk of doing that for the 1.7 release, given how
>> late
>> we are in the release cycle?
>
>
> I think between the ptest and normal system integration testing, we have
> enough tests to mitigate the risks.  Plus the patches themselves are heavily
> tested by the [bash] community and the official changes, so I think it's
> significantly less likely they will introduce issues.

I agree as well.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2014-10-02 19:06 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-02 14:48 Bash security vulnerabilities - Question for master Mark Hatle
2014-10-02 15:13 ` Paul Eggleton
2014-10-02 15:48   ` Mark Hatle
2014-10-02 19:06     ` Otavio Salvador

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox