CVE-2014-7187

Impact:
Moderate
Public Date:
2014-09-26
IAVA:
2014-A-0142
CWE:
CWE-193
Bugzilla:
1146804: CVE-2014-7187 bash: off-by-one error in deeply nested flow control constructs
An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash.

Find out more about CVE-2014-7187 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Red Hat Product Security does not consider this bug to have any security impact on the bash packages shipped in Red Hat Enterprise Linux. A fix for this issue was applied as a hardening in RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312.

CVSS v2 metrics

Base Score 4.6
Base Metrics AV:L/AC:L/Au:N/C:P/I:P/A:P
Access Vector Local
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
S-JIS for Red Hat Enteprise Linux 6 Server (bash) RHSA-2014:1312 2014-09-26
Red Hat Enterprise Linux Extended Lifecycle Support 4 (bash) RHSA-2014:1311 2014-09-26
S-JIS for Red Hat Enteprise Linux 5 Server (bash) RHSA-2014:1865 2014-11-17
Red Hat Enterprise Linux 5 (bash) RHSA-2014:1306 2014-09-26
Red Hat Enterprise Linux EUS (v. 5.9 server) (bash) RHSA-2014:1311 2014-09-26
Red Hat Enterprise Linux 6 (bash) RHSA-2014:1306 2014-09-26
RHEV-M for Servers (rhev-hypervisor6) RHSA-2014:1354 2014-10-02
Red Hat Enterprise Linux Advanced Update Support 6.2 (bash) RHSA-2014:1311 2014-09-26
Red Hat Enterprise Linux 7 (bash) RHSA-2014:1306 2014-09-26
Red Hat Enterprise Linux Extended Update Support 6.4 (bash) RHSA-2014:1311 2014-09-26
S-JIS for Red Hat Enteprise Linux 5 Server (bash) RHSA-2014:1312 2014-09-26
Red Hat Enterprise Linux Long Life (v. 5.6 server) (bash) RHSA-2014:1311 2014-09-26

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 3 bash Not affected

Acknowledgements

This issue was discovered by Florian Weimer of Red Hat Product Security.

Last Modified