[OE-core] Bash security vulnerabilities - Question for master

Thu Oct 2 19:06:22 UTC 2014

On Thu, Oct 2, 2014 at 12:48 PM, Mark Hatle <mark.hatle at windriver.com> wrote:
> On 10/2/14, 10:13 AM, Paul Eggleton wrote:
>>
>> On Thursday 02 October 2014 09:48:29 Mark Hatle wrote:
>>>
>>> With the recent vulnerabilities, a bunch of patches are being sent up to
>>> the
>>> list.  The content is generally fine, but I'm wondering if for master we
>>> should apply all of the official bash patches to get to the latest patch
>>> version, instead of applying various 'security' fixes that may or may not
>>> be the official version.
>>>
>>> For instance, bash_4.3:
>>>
>>> SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
>>> [followed by a bunch of local patches]
>>> "
>>>
>>> ncftp .../bash/bash-4.3-patches > ls
>>> bash43-001        bash43-004.sig    bash43-008        bash43-011.sig
>>> bash43-015        bash43-018.sig    bash43-022        bash43-025.sig
>>> bash43-001.sig    bash43-005        bash43-008.sig    bash43-012
>>> bash43-015.sig    bash43-019        bash43-022.sig    bash43-026
>>> bash43-002        bash43-005.sig    bash43-009        bash43-012.sig
>>> bash43-016        bash43-019.sig    bash43-023        bash43-026.sig
>>> bash43-002.sig    bash43-006        bash43-009.sig    bash43-013
>>> bash43-016.sig    bash43-020        bash43-023.sig    bash43-027
>>> bash43-003        bash43-006.sig    bash43-010        bash43-013.sig
>>> bash43-017        bash43-020.sig    bash43-024        bash43-027.sig
>>> bash43-003.sig    bash43-007        bash43-010.sig    bash43-014
>>> bash43-017.sig    bash43-021        bash43-024.sig    bash43-028
>>> bash43-004        bash43-007.sig    bash43-011        bash43-014.sig
>>> bash43-018        bash43-021.sig    bash43-025        bash43-028.sig
>>>
>>> The community has 28 patches for various bugs (and these security issues)
>>> posted.  Would it make sense to update to bash 4.3 (28)?
>>>
>>> In our bash 3.2.48:
>>>
>>> SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
>>>
>>>
>>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-049;apply=yes;striplevel=0;name=p
>>> atch001 \
>>>
>>>
>>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=p
>>> atch002 \
>>>
>>>
>>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=p
>>> atch003 \
>>> ...
>>> "
>>>
>>> Some of the upstream items are applied, but I'm wondering if we should
>>> extend that to patch level 55 (the latest) in the same way.
>>>
>>> Both patch level 4.3 - 28 and 3.2.48 - 55 will apply all of the fixes
>>> that
>>> keep getting submitted plus a set of other general bugs.  It will also
>>> make
>>> it easier for security scanners to simply check the version and know the
>>> right fixes have been applied.
>>
>>
>> FWIW, I'm inclined to agree - given the severity and high profile of these
>> issues I think we should patch up to the latest patchlevel. Do we have
>> enough
>> tests to mitigate any risk of doing that for the 1.7 release, given how
>> late
>> we are in the release cycle?
>
>
> I think between the ptest and normal system integration testing, we have
> enough tests to mitigate the risks.  Plus the patches themselves are heavily
> tested by the [bash] community and the official changes, so I think it's
> significantly less likely they will introduce issues.

I agree as well.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750