Red Hat Customer Portal

Skip to main content

Security Advisory Critical: bash Shift_JIS security update

Advisory: RHSA-2014:1295-1
Type: Security Advisory
Severity: Critical
Issued on: 2014-09-24
Last updated on: 2014-09-24
Affected Products: Red Hat Enterprise S-JIS Service
CVEs (cve.mitre.org): CVE-2014-6271

Details

Updated bash Shift_JIS packages that fix one security issue are now
available for Red Hat Enterprise Linux 5 and 6.

Red Hat Product Security has rated this update as having Critical security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

The GNU Bourne Again shell (Bash) is a shell and command language
interpreter compatible with the Bourne shell (sh). Bash is the default
shell for Red Hat Enterprise Linux.

Shift_JIS, also known as "SJIS", is a character encoding for the Japanese
language. This package provides bash support for the Shift_JIS encoding.

A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override or
bypass environment restrictions to execute shell commands. Certain
services and applications allow remote unauthenticated attackers to
provide environment variables, allowing them to exploit this issue.
(CVE-2014-6271)

For additional information on the CVE-2014-6271 flaw, refer to the
Knowledgebase article at https://access.redhat.com/articles/1200223

Red Hat would like to thank Stephane Chazelas for reporting this issue.

All users who require Shift_JIS encoding support with Bash built-in
functions are advised to upgrade to these updated packages, which contain a
backported patch to correct this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Updated packages

Red Hat Enterprise S-JIS Service

SRPMS:
bash-3.2-33.el5_11.1.sjis.1.src.rpm
File outdated by:  RHEA-2014:1991
    MD5: 0ae58c0c1db073e4dd377fb3ab87f5a0
SHA-256: e73b2394a61863d39e6fee9181d87c2f8673065e3c8d3a2b7b0f5093eaa97a9f
bash-4.1.2-15.el6_5.1.sjis.1.src.rpm
File outdated by:  RHEA-2016:0344
    MD5: 289cd49f2344982742bcec50ef3c9de3
SHA-256: 013c424a37c75f93471ec86c8e14f103ae9da1b7ac2e34a0913f012b0532f1ee
 
IA-32:
bash-3.2-33.el5_11.1.sjis.1.i386.rpm
File outdated by:  RHEA-2014:1991
    MD5: ebae12e60d6d7bdf0539225ec44251f8
SHA-256: 65d4d331d7231e85fc7d9899a63897e3e87899fed81de410440cf23dc477ae7f
bash-4.1.2-15.el6_5.1.sjis.1.i686.rpm
File outdated by:  RHEA-2016:0344
    MD5: f7570840681485a372a4a0b6484105f6
SHA-256: c8e3f3871202ee7dbf932771b1517a81462494a103f1e0d016cbce445ca20266
bash-debuginfo-3.2-33.el5_11.1.sjis.1.i386.rpm
File outdated by:  RHEA-2014:1991
    MD5: da0bdaf4bcf078b8c4963336f457e432
SHA-256: 4f5159e7d5a1794ee6927c54b6c0f3db1f553091a2383e36f31ec2c1d56e61d6
bash-debuginfo-4.1.2-15.el6_5.1.sjis.1.i686.rpm
File outdated by:  RHEA-2016:0344
    MD5: 1955b5c6c7d15256fbc78d93ec406f50
SHA-256: 2af744c54e9951cd19b8ff8ceb8aac2222378173c801700a3b381dd5d937fcaa
bash-doc-4.1.2-15.el6_5.1.sjis.1.i686.rpm
File outdated by:  RHEA-2016:0344
    MD5: e9c7f180944c67cf16db0b6e26b59293
SHA-256: f0597650a6056b4592dbdf3e122759651a4e02d9eeac72b11299706ef8c09792
 
IA-64:
bash-3.2-33.el5_11.1.sjis.1.i386.rpm
File outdated by:  RHEA-2014:1991
    MD5: ebae12e60d6d7bdf0539225ec44251f8
SHA-256: 65d4d331d7231e85fc7d9899a63897e3e87899fed81de410440cf23dc477ae7f
bash-3.2-33.el5_11.1.sjis.1.ia64.rpm
File outdated by:  RHEA-2014:1991
    MD5: 06cc0ade013bea360128aee976887aea
SHA-256: dc2f6368a202af4de60fc9b13ada35ef4cdce26602586fb0c76b8bf509180c2f
bash-debuginfo-3.2-33.el5_11.1.sjis.1.i386.rpm
File outdated by:  RHEA-2014:1991
    MD5: da0bdaf4bcf078b8c4963336f457e432
SHA-256: 4f5159e7d5a1794ee6927c54b6c0f3db1f553091a2383e36f31ec2c1d56e61d6
bash-debuginfo-3.2-33.el5_11.1.sjis.1.ia64.rpm
File outdated by:  RHEA-2014:1991
    MD5: 6bed9bfd152bfa1edea26866b5b91c54
SHA-256: cbbee113ed5294d371ee7351e9440fc046ba4bae7b925058b00caf31c3d87999
 
x86_64:
bash-3.2-33.el5_11.1.sjis.1.x86_64.rpm
File outdated by:  RHEA-2014:1991
    MD5: dda5dc1e683296524aeaa78396fd1a65
SHA-256: 610b03375fae5931aa38b3f16ccd591c61186ceac05ebac7ae562bfd9ad65eed
bash-4.1.2-15.el6_5.1.sjis.1.x86_64.rpm
File outdated by:  RHEA-2016:0344
    MD5: 04821778c2d53440410091cebbce74b5
SHA-256: 85733a2b52456106d25e4cdfd2a76eeec2339e400d5f94d0105fe2821d874c12
bash-debuginfo-3.2-33.el5_11.1.sjis.1.x86_64.rpm
File outdated by:  RHEA-2014:1991
    MD5: afff781afc66070f2896557cb5bdc4ce
SHA-256: e22c3cf8f3d5f063bb9ba204c1f91573f4434956640856225edb0365cd6ac6ed
bash-debuginfo-4.1.2-15.el6_5.1.sjis.1.x86_64.rpm
File outdated by:  RHEA-2016:0344
    MD5: e89adb8ab04aa898811a5dc3e50f8031
SHA-256: 590a4ab0b902312df6f8b98a278732780d5ada846ae5e67795b1e968adf0659b
bash-doc-4.1.2-15.el6_5.1.sjis.1.x86_64.rpm
File outdated by:  RHEA-2016:0344
    MD5: 0bf97c7b1b9043884ca14f613e46129e
SHA-256: fb564593d14b26668dd802a856dc80a41341b72d4b7a0b95221901423e1a31a7
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1141597 - CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/