Bash bug

Talk here about security in general. Posting illegals software is prohibited. All stuffs in this forum must be considered as for "Educational purpose only".
neko
Contributor
Contributor
Posts: 867
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Re: Bash bug

Post#16 by neko » 04 Oct 2014, 16:38

@bour59
I am sorry to miss needed library.
Thank you very much for your report.

================================================

For 32 bit, version 3.0.1
001-core2.xzm was updated to 001-core3.xzm.

http://www.mediafire.com/download/on9s3 ... -core3.xzm
48a70bb126e10f5c472b3feb508a1228 001-core3.xzm

'bash', the content of 001-core.xzm, was updated to fix the "Shellshock" problem.
And the needed library for new bash was included into 001-core3.xzm.

Thanks.

bour59
Samurai
Samurai
Posts: 118
Joined: 29 Dec 2010, 08:10
Distribution: porteus v3.2.2-xfce
Location: France

Re: Bash bug

Post#17 by bour59 » 04 Oct 2014, 18:16

@neko
all's fine now
please what can explain the different size of
001-core.xzm (51298304)
001-core3.xzm (47292407)
thanks

User avatar
fanthom
Site Admin
Site Admin
Posts: 4548
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Re: Bash bug

Post#18 by fanthom » 04 Oct 2014, 18:48

i was playing with different block sizes for squash and looks like 001-core.xzm from 3.0.1 is compressed with 128k while it should be 256k (our default).
that's why original xzm is bigger.

sorry for that.
Please add [Solved] to your thread title if the solution was found.

User avatar
Ed_P
Contributor
Contributor
Posts: 3070
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 3.2.2 64-bit ISO
Location: Western NY, USA

Re: Bash bug

Post#19 by Ed_P » 05 Oct 2014, 04:36

So is the official fix for this 001-core3.xzm or
brokenman wrote:You can now update the database to get this patch if you wish.

Code: Select all

usm -u slackwarepatches
usm -g bash
Ed

neko
Contributor
Contributor
Posts: 867
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Re: Bash bug

Post#20 by neko » 05 Oct 2014, 13:06

@bour59

Update to 001-core3.xzm was done as following steps.

1) Separate
The original 001-core.xzm was separated to each packages
depending on the information of /var/log/packages/XXXXs.

2) Update
Then the "bash update" was done.
All /var/log/packages/XXXXs were updated.

3) Merge
Finally each packages were merged into 001-core3 directory,
and 001-core3 was compressed into 001-core3.xzm module.

# mksquashfs 001-core3 001-core3.xzm -b 256K -comp xz -Xbcj x86

Thanks.
=====================================
[ diff -r 001-core 001-core3 ]

Binary files 001-core/bin/bash and 001-core3/bin/bash differ
Only in 001-core3/bin: rbash
Binary files 001-core/bin/sh and 001-core3/bin/sh differ
Only in 001-core3/etc: bash.bashrc
Only in 001-core3/etc/skel: .bash_logout
Only in 001-core3/etc/skel: .bashrc
Only in 001-core3/etc/skel: .profile
Only in 001-core3/lib: libtinfo.so.5
Only in 001-core3/lib: libtinfo.so.5.9
Only in 001-core3/usr/X11/bin: bashbug
Only in 001-core3/usr/X11/bin: clear_console
Only in 001-core/usr/X11/man/man1: bash.1
Only in 001-core3/usr/X11/share: lintian
Only in 001-core3/usr/X11/share: man
Only in 001-core3/usr/X11/share: menu
Only in 001-core3/usr/X11R6/bin: bashbug
Only in 001-core3/usr/X11R6/bin: clear_console
Only in 001-core/usr/X11R6/man/man1: bash.1
Only in 001-core3/usr/X11R6/share: lintian
Only in 001-core3/usr/X11R6/share: man
Only in 001-core3/usr/X11R6/share: menu
Only in 001-core3/usr/bin: bashbug
Only in 001-core3/usr/bin: clear_console
Only in 001-core/usr/man/man1: bash.1
Only in 001-core3/usr/share: lintian
Only in 001-core3/usr/share: man
Only in 001-core3/usr/share: menu

There are many diffs in /var/log/packages/XXXXs.
=====================================
Last edited by neko on 12 Oct 2014, 03:27, edited 1 time in total.

User avatar
Rava
Contributor
Contributor
Posts: 1319
Joined: 11 Jan 2011, 02:46
Distribution: Porteus 3.1.0 x86-64 XFCe
Location: Germany

Re: Bash bug

Post#21 by Rava » 08 Oct 2014, 07:15

@all
Is ther an updated version for 3.0.1 x86-64 as well? I only read about the 32 bit updated 001-core3.xzm above...

________________________________________

For the 4.2 version, the newest patch is bash42-053 (according to http://ftp.gnu.org/gnu/bash/bash-4.2-patches/ ) but usm gives me as newest version only this: bash-4.2.045-x86_64-1.txz

Is the bash-4.2.053-x86_64-1.txz still available somewhere?

Strange enough, while gnu.org tells me the 4.2.053 being the newest patch, http://pkgs.org/download/bash tells me that ALT Linux Sisyphus has bash-3.2.54-alt1.x86_64.rpm. Do they really have 054 patch when gnu.org itself only has 053?

pkgs.org gives me as newest bash bash-4.2.045-x86_64-1.txz (same as usm) and as newest patch only bash-4.2.050-x86_64-1_slack14.1.txz ...

After

Code: Select all

root@porteus:/mnt# usm -u slackwarepatches
I only get these as newest version/patches:

Code: Select all

root@porteus:/mnt# usm -s bash

bash-4.2.050-x86_64-1_slack14.1.txz was found in slackwarepatches
bash-4.2.045-x86_64-1.txz was found in slackware
(same as http://pkgs.org)

Does anyone know a site that incorporates the newest gnu.org patches, as in: currently the 053 patch for 4.2?
Cheers!
Yours Rava

neko
Contributor
Contributor
Posts: 867
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Re: Bash bug

Post#22 by neko » 08 Oct 2014, 13:33

@Rava
In this month, I can not upload updated 001-core.xzm for 62 bit version 3.0.1.
(Next month I can use 64bit PC.)

The "bash_4.2-2ubuntu2.5_i386" package from 32 bit UBUNTU14.04 was used.

*) Now, I am replacing from bash to dash.

Thanks.

User avatar
Rava
Contributor
Contributor
Posts: 1319
Joined: 11 Jan 2011, 02:46
Distribution: Porteus 3.1.0 x86-64 XFCe
Location: Germany

Re: Bash bug

Post#23 by Rava » 08 Oct 2014, 15:46

@neko
So, is dash working fine for all bash scripts? Can it be used for the time being as a complete bash replacement until the bash shellshock vulnerability issues are solved?

And how would one incorporate that? Run some uninstaller using the /tmp/core-whatever folder as root, and also using that folder to install or xzm2dir dash?
_________________________

Also, are you really running XFCE-v2.0-rc2-i486.iso as your avatar text suggests? Sounds more like you use XFCE-v3.0.1-i486 to me...
Cheers!
Yours Rava

User avatar
brokenman
Site Admin
Site Admin
Posts: 5439
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: Bash bug

Post#24 by brokenman » 08 Oct 2014, 19:23

So, is dash working fine for all bash scripts?
This can not be guaranteed. There are many bashisms in many scripts.

Some of these include the use of $RANDOM, select, let, and source keywords, shell arithmetic, the -e option to echo, the use of "." to search the current directory .... and many other things.
How do i become super user?
Wear your underpants on the outside and put on a cape.

User avatar
Rava
Contributor
Contributor
Posts: 1319
Joined: 11 Jan 2011, 02:46
Distribution: Porteus 3.1.0 x86-64 XFCe
Location: Germany

Re: Bash bug

Post#25 by Rava » 08 Oct 2014, 20:23

^
At least the -e option of echo could be reproduced when replacing

Code: Select all

echo -e bla
with

Code: Select all

/bin/echo -e blubb
:D

Anyhow, is it recommendable to replace 001's bash with dash? Would all system scripts including all Porteus scripts still work okay?
When I just have to debug/change/whatever my own dozens of scripts, I can live with that... but having a buggy and faulty Porteus is not something I desire...
Cheers!
Yours Rava

donald
Full of knowledge
Full of knowledge
Posts: 1126
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Bash bug

Post#26 by donald » 08 Oct 2014, 23:53

anyone in doubt...test your bash...this script checks against 6 public vulnerabilities.
https://github.com/hannob/bashcheck

User avatar
brokenman
Site Admin
Site Admin
Posts: 5439
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: Bash bug

Post#27 by brokenman » 09 Oct 2014, 00:43

Anyhow, is it recommendable to replace 001's bash with dash?
No (see my above post for reasons).

Your echo -e example is not valid. Check man echo to see why.
How do i become super user?
Wear your underpants on the outside and put on a cape.

User avatar
Rava
Contributor
Contributor
Posts: 1319
Joined: 11 Jan 2011, 02:46
Distribution: Porteus 3.1.0 x86-64 XFCe
Location: Germany

Re: Bash bug

Post#28 by Rava » 10 Oct 2014, 00:07

brokenman wrote:Your echo -e example is not valid. Check man echo to see why.

Code: Select all

man echo:

-e     enable interpretation of backslash escapes
You confuse me,brokenman...
Cheers!
Yours Rava

cttan
Shogun
Shogun
Posts: 332
Joined: 26 Jan 2011, 16:15
Distribution: Porteus 3.2 64bit KDE
Location: Malaysia

Re: Bash bug

Post#29 by cttan » 10 Oct 2014, 05:36

Hi donald,

The bash check is good.

I just update using usm -g bash and all is good now as below output.

Code: Select all

root@a10b23c45d67:~# ./bashcheck 
Testing /usr/bin/bash ...
GNU bash, version 4.2.50(2)-release (x86_64-slackware-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Found non-exploitable CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)
root@a10b23c45d67:~#
bashcheck script from donald link:-

Code: Select all

#!/bin/bash

warn() {
	if [ "$scary" == "1" ]; then
		echo -e "\033[91mVulnerable to $1\033[39m"
	else
		echo -e "\033[93mFound non-exploitable $1\033[39m"
	fi
}

good() {
	echo -e "\033[92mNot vulnerable to $1\033[39m"
}

tmpdir=`mktemp -d -t tmp.XXXXXXXX`

[ -n "$1" ] && bash=$(which $1) || bash=$(which bash)
echo -e "\033[95mTesting $bash ..."
echo $($bash --version | head -n 1)
echo -e "\033[39m"

#r=`a="() { echo x;}" $bash -c a 2>/dev/null`
if [ -n "$(env 'a'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[91mVariable function parser active, maybe vulnerable to unknown parser bugs\033[39m"
	scary=1
elif [ -n "$(env 'BASH_FUNC_a%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [%%, upstream], bugs not exploitable\033[39m"
	scary=0
elif [ -n "$(env 'BASH_FUNC_a()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [(), redhat], bugs not exploitable\033[39m"
	scary=0
elif [ -n "$(env 'BASH_FUNC_<a>%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [<..>%%, apple], bugs not exploitable\033[39m"
	scary=0
else
	echo -e "\033[92mVariable function parser inactive, bugs not exploitable\033[39m"
	scary=0
fi


r=`env x="() { :; }; echo x" $bash -c "" 2>/dev/null`
if [ -n "$r" ]; then
	warn "CVE-2014-6271 (original shellshock)"
else
	good "CVE-2014-6271 (original shellshock)"
fi

cd $tmpdir
env x='() { function a a>\' $bash -c echo 2>/dev/null > /dev/null
if [ -e echo ]; then
	warn "CVE-2014-7169 (taviso bug)"
else
	good "CVE-2014-7169 (taviso bug)"
fi

$($bash -c "true $(printf '<<EOF %.0s' {1..80})" 2>$tmpdir/bashcheck.tmp)
ret=$?
grep -q AddressSanitizer $tmpdir/bashcheck.tmp
if [ $? == 0 ] || [ $ret == 139 ]; then
	warn "CVE-2014-7186 (redir_stack bug)"
else
	good "CVE-2014-7186 (redir_stack bug)"
fi


$bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null
if [ $? != 0 ]; then
	warn "CVE-2014-7187 (nested loops off by one)"
else
	echo -e "\033[96mTest for CVE-2014-7187 not reliable without address sanitizer\033[39m"
fi

$($bash -c "f(){ x(){ _;};x(){ _;}<<a;}" 2>/dev/null)
if [ $? != 0 ]; then
	warn "CVE-2014-6277 (lcamtuf bug #1)"
else
	good "CVE-2014-6277 (lcamtuf bug #1)"
fi

if [ -n "$(env x='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
	warn "CVE-2014-6278 (lcamtuf bug #2)"
elif [ -n "$(env BASH_FUNC_x%%='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
	warn "CVE-2014-6278 (lcamtuf bug #2)"
elif [ -n "$(env 'BASH_FUNC_x()'='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
	warn "CVE-2014-6278 (lcamtuf bug #2)"
else
	good "CVE-2014-6278 (lcamtuf bug #2)"
fi

rm -rf $tmpdir

donald
Full of knowledge
Full of knowledge
Posts: 1126
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Bash bug

Post#30 by donald » 10 Oct 2014, 09:25

Hi cttan
Unfortunately slackware has only the bash-patch 50, whereas the newest is 53
which looks much better.

Testing /bin/bash ...
GNU bash, version 4.2.53(2)-release

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)

also the (patch 53) code seems to be better.I had some bash-segfault-messages with
earlier patches. :(

Post Reply