Closed
Bug 1077624
Opened 10 years ago
Closed 9 years ago
Update bash to a version that includes the shellshock fixes
Categories
(Firefox Build System :: MozillaBuild, task)
Firefox Build System
MozillaBuild
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: bkhowson, Assigned: RyanVM)
References
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36 Steps to reproduce: Mozilla-Build includes bash.exe vulnerable to shellshock D:\mozilla-build\msys\bin> bash -version GNU bash, version 3.1.0(1)-release (i686-pc-msys) Copyright (C) 2005 Free Software Foundation, Inc. D:\mozilla-build\msys\bin>set x=() { :; }; echo vulnerable D:\mozilla-build\msys\bin>bash -c "echo test" vulnerable test Actual results: D:\mozilla-build\msys\bin>bash -c "echo test" vulnerable test Expected results: D:\mozilla-build\msys\bin>bash -c "echo test" test
Comment 1•10 years ago
|
||
Vulnerable, yes. Exploitable? I'm questioning. We're not running any daemons or servers in MozillaBuild. That seems to rule out RCE. You'd have to execute arbitrary code on your own machine to exploit this. At that point, you're already pwn0ed. Is my reasoning wrong?
Assignee | ||
Comment 2•10 years ago
|
||
This was discussed on IRC w/ dveditz last week and deemed not serious enough for this package for us to worry about it (MozillaBuild offers no guarantees about the environment or its usage besides "It'll build Firefox"). We certainly wouldn't support using its environment in a way that exposes them to any shellshock-style risk. Suggest WONTFIXing this.
Group: mozilla-employee-confidential
Assignee | ||
Comment 3•9 years ago
|
||
Bug 791511 is updating bash to version 3.1.23-1, which includes Shellshock fixes IIUC.
Assignee: nobody → ryanvm
Blocks: MozillaBuild2.0
Status: UNCONFIRMED → ASSIGNED
Depends on: 791511
Ever confirmed: true
Summary: windows mozilla-build tools bash → Update bash to a version that includes the shellshock fixes
Assignee | ||
Comment 4•9 years ago
|
||
Bug 791511 has landed. A test build that includes this is available at the link below. Feedback welcome :) http://people.mozilla.org/~rvandermeulen/MozillaBuildSetup2.0.0pre3.exe
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•1 year ago
|
Product: mozilla.org → Firefox Build System
You need to log in
before you can comment on or make changes to this bug.
Description
•