1077624 - Update bash to a version that includes the shellshock fixes

Status: RESOLVED FIXED

(Firefox Build System :: MozillaBuild, task)

Description

[brian howson]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36

Steps to reproduce:

Mozilla-Build includes bash.exe vulnerable to shellshock 

D:\mozilla-build\msys\bin> bash -version
GNU bash, version 3.1.0(1)-release (i686-pc-msys)
Copyright (C) 2005 Free Software Foundation, Inc.

D:\mozilla-build\msys\bin>set x=() { :; }; echo vulnerable

D:\mozilla-build\msys\bin>bash -c "echo test"
vulnerable
test



Actual results:

D:\mozilla-build\msys\bin>bash -c "echo test"
vulnerable
test


Expected results:

D:\mozilla-build\msys\bin>bash -c "echo test"
test

Comment 1

[Gregory Szorc [:gps]]

Vulnerable, yes. Exploitable? I'm questioning. We're not running any daemons or servers in MozillaBuild. That seems to rule out RCE. You'd have to execute arbitrary code on your own machine to exploit this. At that point, you're already pwn0ed. Is my reasoning wrong?

Comment 2

[Ryan VanderMeulen [:RyanVM]]

This was discussed on IRC w/ dveditz last week and deemed not serious enough for this package for us to worry about it (MozillaBuild offers no guarantees about the environment or its usage besides "It'll build Firefox"). We certainly wouldn't support using its environment in a way that exposes them to any shellshock-style risk.

Suggest WONTFIXing this.

Comment 3

[Ryan VanderMeulen [:RyanVM]]

Bug 791511 is updating bash to version 3.1.23-1, which includes Shellshock fixes IIUC.

Comment 4

[Ryan VanderMeulen [:RyanVM]]

Bug 791511 has landed. A test build that includes this is available at the link below. Feedback welcome :)
http://people.mozilla.org/~rvandermeulen/MozillaBuildSetup2.0.0pre3.exe