[OE-core] Bash security vulnerabilities - Question for master

Paul Eggleton paul.eggleton at linux.intel.com
Thu Oct 2 15:13:03 UTC 2014 

On Thursday 02 October 2014 09:48:29 Mark Hatle wrote:
> With the recent vulnerabilities, a bunch of patches are being sent up to the
> list.  The content is generally fine, but I'm wondering if for master we
> should apply all of the official bash patches to get to the latest patch
> version, instead of applying various 'security' fixes that may or may not
> be the official version.
> 
> For instance, bash_4.3:
> 
> SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
> [followed by a bunch of local patches]
> "
> 
> ncftp .../bash/bash-4.3-patches > ls
> bash43-001        bash43-004.sig    bash43-008        bash43-011.sig
> bash43-015        bash43-018.sig    bash43-022        bash43-025.sig
> bash43-001.sig    bash43-005        bash43-008.sig    bash43-012
> bash43-015.sig    bash43-019        bash43-022.sig    bash43-026
> bash43-002        bash43-005.sig    bash43-009        bash43-012.sig
> bash43-016        bash43-019.sig    bash43-023        bash43-026.sig
> bash43-002.sig    bash43-006        bash43-009.sig    bash43-013
> bash43-016.sig    bash43-020        bash43-023.sig    bash43-027
> bash43-003        bash43-006.sig    bash43-010        bash43-013.sig
> bash43-017        bash43-020.sig    bash43-024        bash43-027.sig
> bash43-003.sig    bash43-007        bash43-010.sig    bash43-014
> bash43-017.sig    bash43-021        bash43-024.sig    bash43-028
> bash43-004        bash43-007.sig    bash43-011        bash43-014.sig
> bash43-018        bash43-021.sig    bash43-025        bash43-028.sig
> 
> The community has 28 patches for various bugs (and these security issues)
> posted.  Would it make sense to update to bash 4.3 (28)?
> 
> In our bash 3.2.48:
> 
> SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
> 
> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-049;apply=yes;striplevel=0;name=p
> atch001 \
> 
> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=p
> atch002 \
> 
> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=p
> atch003 \
> ...
> "
> 
> Some of the upstream items are applied, but I'm wondering if we should
> extend that to patch level 55 (the latest) in the same way.
> 
> Both patch level 4.3 - 28 and 3.2.48 - 55 will apply all of the fixes that
> keep getting submitted plus a set of other general bugs.  It will also make
> it easier for security scanners to simply check the version and know the
> right fixes have been applied.

FWIW, I'm inclined to agree - given the severity and high profile of these 
issues I think we should patch up to the latest patchlevel. Do we have enough 
tests to mitigate any risk of doing that for the 1.7 release, given how late 
we are in the release cycle?

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

More information about the Openembedded-core mailing list