bash security cygwin shellshock: Updated Fri, 20 May 2022 05:04:15 GMT

How to apply the fix for CVE-2014-6271 bash vulnerability on cygwin?

I would like to find out how do I apply the fix for this vulnerability on cygwin.

I am running the CYGWIN_NT-6.1 MYHOSTNAME 1.7.30(0.272/5/3) 2014-05-23 10:36 x86_64 Cygwin of cygwin on Windows 7.

 #bash -version
 GNU bash, version 4.1.11(2)-release (x86_64-unknown-cygwin)
 Copyright (C) 2009 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
 $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
 env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
 vulnerable
 this is a test

I tried apt-cyg but it didn't update anything:

    $ apt-cyg update bash
    apt-cyg update bash
    Working directory is /setup
    Mirror is http://mirrors.kernel.org/sourceware/cygwin
    --2014-09-25 09:24:14--          http://mirrors.kernel.org/sourceware/cygwin/x86_64/setup.bz2
    Resolving mirrors.kernel.org (mirrors.kernel.org)... 149.20.4.71, 149.20.20.135,         2001:4f8:1:10:0:1994:3:14, ...
    Connecting to mirrors.kernel.org (mirrors.kernel.org)|149.20.4.71|:80...         connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 431820 (422K) [application/x-bzip2]
    Saving to: setup.bz2
    100%        [======================================================================================>]         431,820      898KB/s   in 0.5s
    2014-09-25 09:24:14 (898 KB/s) - setup.bz2 saved [431820/431820]
      Updated setup.ini

when try to reinstall by running setup-x86_64.exe and going through wizard re-install bash that is showing under shell, it seems like start downloading everything. It should be very quick update but it start downloading for over 15 minutes then I canceled it. I looked around https://cygwin.com site and other forum but so far not any specific update for this vulnerability.

Solution

As per the official Cygwin Installation Page:

Installing and Updating Cygwin for 64-bit versions of Windows

Run setup-x86_64.exe any time you want to update or install a Cygwin package for 64-bit windows. The signature for setup-x86_64.exe can be used to verify the validity of this binary using this public key.

I had a hunch this bash was affected to, so about 15 minutes before you posted your question I did as the setup page instructed.

There is no need for a 3rd Party Script. I believe the process went different for me because I had not cleaned out my Download Directory at C:\Cygwin64\Downloads The setup utility Scanned my currently installed packages, and I left the defaults alone. As such, all packages in the base system were updated. One of these happened to be the bash that is affected by the CVE-2014-6271. You can see proof that you are protected by the following screenshot:

Updated Bash - Cygwin

Please note that I do not know if this update protects against the other vulnerabilities that have been discovered, so please follow the above procedure the next few days until this issue is completely fixed.

External Links

External links referenced by this document:

https://cygwin.com/install.html

References

https://unix.stackexchange.com/questions/157517