[OE-core] Bash security vulnerabilities - Question for master

Thu Oct 2 15:48:48 UTC 2014

On 10/2/14, 10:13 AM, Paul Eggleton wrote:
> On Thursday 02 October 2014 09:48:29 Mark Hatle wrote:
>> With the recent vulnerabilities, a bunch of patches are being sent up to the
>> list.  The content is generally fine, but I'm wondering if for master we
>> should apply all of the official bash patches to get to the latest patch
>> version, instead of applying various 'security' fixes that may or may not
>> be the official version.
>>
>> For instance, bash_4.3:
>>
>> SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
>> [followed by a bunch of local patches]
>> "
>>
>> ncftp .../bash/bash-4.3-patches > ls
>> bash43-001        bash43-004.sig    bash43-008        bash43-011.sig
>> bash43-015        bash43-018.sig    bash43-022        bash43-025.sig
>> bash43-001.sig    bash43-005        bash43-008.sig    bash43-012
>> bash43-015.sig    bash43-019        bash43-022.sig    bash43-026
>> bash43-002        bash43-005.sig    bash43-009        bash43-012.sig
>> bash43-016        bash43-019.sig    bash43-023        bash43-026.sig
>> bash43-002.sig    bash43-006        bash43-009.sig    bash43-013
>> bash43-016.sig    bash43-020        bash43-023.sig    bash43-027
>> bash43-003        bash43-006.sig    bash43-010        bash43-013.sig
>> bash43-017        bash43-020.sig    bash43-024        bash43-027.sig
>> bash43-003.sig    bash43-007        bash43-010.sig    bash43-014
>> bash43-017.sig    bash43-021        bash43-024.sig    bash43-028
>> bash43-004        bash43-007.sig    bash43-011        bash43-014.sig
>> bash43-018        bash43-021.sig    bash43-025        bash43-028.sig
>>
>> The community has 28 patches for various bugs (and these security issues)
>> posted.  Would it make sense to update to bash 4.3 (28)?
>>
>> In our bash 3.2.48:
>>
>> SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
>>
>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-049;apply=yes;striplevel=0;name=p
>> atch001 \
>>
>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=p
>> atch002 \
>>
>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=p
>> atch003 \
>> ...
>> "
>>
>> Some of the upstream items are applied, but I'm wondering if we should
>> extend that to patch level 55 (the latest) in the same way.
>>
>> Both patch level 4.3 - 28 and 3.2.48 - 55 will apply all of the fixes that
>> keep getting submitted plus a set of other general bugs.  It will also make
>> it easier for security scanners to simply check the version and know the
>> right fixes have been applied.
>
> FWIW, I'm inclined to agree - given the severity and high profile of these
> issues I think we should patch up to the latest patchlevel. Do we have enough
> tests to mitigate any risk of doing that for the 1.7 release, given how late
> we are in the release cycle?

I think between the ptest and normal system integration testing, we have enough 
tests to mitigate the risks.  Plus the patches themselves are heavily tested by 
the [bash] community and the official changes, so I think it's significantly 
less likely they will introduce issues.

--Mark

> Cheers,
> Paul
>