Update bash to a version that includes the shellshock fixes

RESOLVED FIXED

Status

mozilla.org
MozillaBuild
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: brian howson, Assigned: RyanVM)

Tracking

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36

Steps to reproduce:

Mozilla-Build includes bash.exe vulnerable to shellshock 

D:\mozilla-build\msys\bin> bash -version
GNU bash, version 3.1.0(1)-release (i686-pc-msys)
Copyright (C) 2005 Free Software Foundation, Inc.

D:\mozilla-build\msys\bin>set x=() { :; }; echo vulnerable

D:\mozilla-build\msys\bin>bash -c "echo test"
vulnerable
test



Actual results:

D:\mozilla-build\msys\bin>bash -c "echo test"
vulnerable
test


Expected results:

D:\mozilla-build\msys\bin>bash -c "echo test"
test

Comment 1

3 years ago
Vulnerable, yes. Exploitable? I'm questioning. We're not running any daemons or servers in MozillaBuild. That seems to rule out RCE. You'd have to execute arbitrary code on your own machine to exploit this. At that point, you're already pwn0ed. Is my reasoning wrong?
(Assignee)

Comment 2

3 years ago
This was discussed on IRC w/ dveditz last week and deemed not serious enough for this package for us to worry about it (MozillaBuild offers no guarantees about the environment or its usage besides "It'll build Firefox"). We certainly wouldn't support using its environment in a way that exposes them to any shellshock-style risk.

Suggest WONTFIXing this.
Group: mozilla-employee-confidential
(Assignee)

Comment 3

3 years ago
Bug 791511 is updating bash to version 3.1.23-1, which includes Shellshock fixes IIUC.
Assignee: nobody → ryanvm
Blocks: 791486
Status: UNCONFIRMED → ASSIGNED
Depends on: 791511
Ever confirmed: true
Summary: windows mozilla-build tools bash → Update bash to a version that includes the shellshock fixes
(Assignee)

Comment 4

3 years ago
Bug 791511 has landed. A test build that includes this is available at the link below. Feedback welcome :)
http://people.mozilla.org/~rvandermeulen/MozillaBuildSetup2.0.0pre3.exe
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.