Bash bug

Talk here about security in general. Posting illegals software is prohibited. All stuffs in this forum must be considered as for "Educational purpose only".
neko
DEV Team
DEV Team
Posts: 927
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Re: Bash bug

Post#16 by neko » 04 Oct 2014, 16:38

@bour59
I am sorry to miss needed library.
Thank you very much for your report.

================================================

For 32 bit, version 3.0.1
001-core2.xzm was updated to 001-core3.xzm.

http://www.mediafire.com/download/on9s3 ... -core3.xzm
48a70bb126e10f5c472b3feb508a1228 001-core3.xzm

'bash', the content of 001-core.xzm, was updated to fix the "Shellshock" problem.
And the needed library for new bash was included into 001-core3.xzm.

Thanks.

bour59
Samurai
Samurai
Posts: 118
Joined: 29 Dec 2010, 08:10
Distribution: porteus v3.2.2-xfce
Location: France

Re: Bash bug

Post#17 by bour59 » 04 Oct 2014, 18:16

@neko
all's fine now
please what can explain the different size of
001-core.xzm (51298304)
001-core3.xzm (47292407)
thanks

User avatar
fanthom
Site Admin
Site Admin
Posts: 4586
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Re: Bash bug

Post#18 by fanthom » 04 Oct 2014, 18:48

i was playing with different block sizes for squash and looks like 001-core.xzm from 3.0.1 is compressed with 128k while it should be 256k (our default).
that's why original xzm is bigger.

sorry for that.
Please add [Solved] to your thread title if the solution was found.

User avatar
Ed_P
Contributor
Contributor
Posts: 3200
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 3.2.2 64-bit ISO
Location: Western NY, USA

Re: Bash bug

Post#19 by Ed_P » 05 Oct 2014, 04:36

So is the official fix for this 001-core3.xzm or
brokenman wrote:You can now update the database to get this patch if you wish.

Code: Select all

usm -u slackwarepatches
usm -g bash
Ed

neko
DEV Team
DEV Team
Posts: 927
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Re: Bash bug

Post#20 by neko » 05 Oct 2014, 13:06

@bour59

Update to 001-core3.xzm was done as following steps.

1) Separate
The original 001-core.xzm was separated to each packages
depending on the information of /var/log/packages/XXXXs.

2) Update
Then the "bash update" was done.
All /var/log/packages/XXXXs were updated.

3) Merge
Finally each packages were merged into 001-core3 directory,
and 001-core3 was compressed into 001-core3.xzm module.

# mksquashfs 001-core3 001-core3.xzm -b 256K -comp xz -Xbcj x86

Thanks.
=====================================
[ diff -r 001-core 001-core3 ]

Binary files 001-core/bin/bash and 001-core3/bin/bash differ
Only in 001-core3/bin: rbash
Binary files 001-core/bin/sh and 001-core3/bin/sh differ
Only in 001-core3/etc: bash.bashrc
Only in 001-core3/etc/skel: .bash_logout
Only in 001-core3/etc/skel: .bashrc
Only in 001-core3/etc/skel: .profile
Only in 001-core3/lib: libtinfo.so.5
Only in 001-core3/lib: libtinfo.so.5.9
Only in 001-core3/usr/X11/bin: bashbug
Only in 001-core3/usr/X11/bin: clear_console
Only in 001-core/usr/X11/man/man1: bash.1
Only in 001-core3/usr/X11/share: lintian
Only in 001-core3/usr/X11/share: man
Only in 001-core3/usr/X11/share: menu
Only in 001-core3/usr/X11R6/bin: bashbug
Only in 001-core3/usr/X11R6/bin: clear_console
Only in 001-core/usr/X11R6/man/man1: bash.1
Only in 001-core3/usr/X11R6/share: lintian
Only in 001-core3/usr/X11R6/share: man
Only in 001-core3/usr/X11R6/share: menu
Only in 001-core3/usr/bin: bashbug
Only in 001-core3/usr/bin: clear_console
Only in 001-core/usr/man/man1: bash.1
Only in 001-core3/usr/share: lintian
Only in 001-core3/usr/share: man
Only in 001-core3/usr/share: menu

There are many diffs in /var/log/packages/XXXXs.
=====================================
Last edited by neko on 12 Oct 2014, 03:27, edited 1 time in total.

User avatar
Rava
Contributor
Contributor
Posts: 1319
Joined: 11 Jan 2011, 02:46
Distribution: Porteus 3.1.0 x86-64 XFCe
Location: Germany

Re: Bash bug

Post#21 by Rava » 08 Oct 2014, 07:15

@all
Is ther an updated version for 3.0.1 x86-64 as well? I only read about the 32 bit updated 001-core3.xzm above...

________________________________________

For the 4.2 version, the newest patch is bash42-053 (according to http://ftp.gnu.org/gnu/bash/bash-4.2-patches/ ) but usm gives me as newest version only this: bash-4.2.045-x86_64-1.txz

Is the bash-4.2.053-x86_64-1.txz still available somewhere?

Strange enough, while gnu.org tells me the 4.2.053 being the newest patch, http://pkgs.org/download/bash tells me that ALT Linux Sisyphus has bash-3.2.54-alt1.x86_64.rpm. Do they really have 054 patch when gnu.org itself only has 053?

pkgs.org gives me as newest bash bash-4.2.045-x86_64-1.txz (same as usm) and as newest patch only bash-4.2.050-x86_64-1_slack14.1.txz ...

After

Code: Select all

root@porteus:/mnt# usm -u slackwarepatches
I only get these as newest version/patches:

Code: Select all

root@porteus:/mnt# usm -s bash

bash-4.2.050-x86_64-1_slack14.1.txz was found in slackwarepatches
bash-4.2.045-x86_64-1.txz was found in slackware
(same as http://pkgs.org)

Does anyone know a site that incorporates the newest gnu.org patches, as in: currently the 053 patch for 4.2?
Cheers!
Yours Rava

neko
DEV Team
DEV Team
Posts: 927
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Re: Bash bug

Post#22 by neko » 08 Oct 2014, 13:33

@Rava
In this month, I can not upload updated 001-core.xzm for 62 bit version 3.0.1.
(Next month I can use 64bit PC.)

The "bash_4.2-2ubuntu2.5_i386" package from 32 bit UBUNTU14.04 was used.

*) Now, I am replacing from bash to dash.

Thanks.

User avatar
Rava
Contributor
Contributor
Posts: 1319
Joined: 11 Jan 2011, 02:46
Distribution: Porteus 3.1.0 x86-64 XFCe
Location: Germany

Re: Bash bug

Post#23 by Rava » 08 Oct 2014, 15:46

@neko
So, is dash working fine for all bash scripts? Can it be used for the time being as a complete bash replacement until the bash shellshock vulnerability issues are solved?

And how would one incorporate that? Run some uninstaller using the /tmp/core-whatever folder as root, and also using that folder to install or xzm2dir dash?
_________________________

Also, are you really running XFCE-v2.0-rc2-i486.iso as your avatar text suggests? Sounds more like you use XFCE-v3.0.1-i486 to me...
Cheers!
Yours Rava

User avatar
brokenman
Site Admin
Site Admin
Posts: 5503
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: Bash bug

Post#24 by brokenman » 08 Oct 2014, 19:23

So, is dash working fine for all bash scripts?
This can not be guaranteed. There are many bashisms in many scripts.

Some of these include the use of $RANDOM, select, let, and source keywords, shell arithmetic, the -e option to echo, the use of "." to search the current directory .... and many other things.
How do i become super user?
Wear your underpants on the outside and put on a cape.

User avatar
Rava
Contributor
Contributor
Posts: 1319
Joined: 11 Jan 2011, 02:46
Distribution: Porteus 3.1.0 x86-64 XFCe
Location: Germany

Re: Bash bug

Post#25 by Rava » 08 Oct 2014, 20:23

^
At least the -e option of echo could be reproduced when replacing

Code: Select all

echo -e bla
with

Code: Select all

/bin/echo -e blubb
:D

Anyhow, is it recommendable to replace 001's bash with dash? Would all system scripts including all Porteus scripts still work okay?
When I just have to debug/change/whatever my own dozens of scripts, I can live with that... but having a buggy and faulty Porteus is not something I desire...
Cheers!
Yours Rava

donald
Full of knowledge
Full of knowledge
Posts: 1175
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Bash bug

Post#26 by donald » 08 Oct 2014, 23:53

anyone in doubt...test your bash...this script checks against 6 public vulnerabilities.
https://github.com/hannob/bashcheck

User avatar
brokenman
Site Admin
Site Admin
Posts: 5503
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: Bash bug

Post#27 by brokenman » 09 Oct 2014, 00:43

Anyhow, is it recommendable to replace 001's bash with dash?
No (see my above post for reasons).

Your echo -e example is not valid. Check man echo to see why.
How do i become super user?
Wear your underpants on the outside and put on a cape.

User avatar
Rava
Contributor
Contributor
Posts: 1319
Joined: 11 Jan 2011, 02:46
Distribution: Porteus 3.1.0 x86-64 XFCe
Location: Germany

Re: Bash bug

Post#28 by Rava » 10 Oct 2014, 00:07

brokenman wrote:Your echo -e example is not valid. Check man echo to see why.

Code: Select all

man echo:

-e     enable interpretation of backslash escapes
You confuse me,brokenman...
Cheers!
Yours Rava

cttan
Shogun
Shogun
Posts: 332
Joined: 26 Jan 2011, 16:15
Distribution: Porteus 3.2 64bit KDE
Location: Malaysia

Re: Bash bug

Post#29 by cttan » 10 Oct 2014, 05:36

Hi donald,

The bash check is good.

I just update using usm -g bash and all is good now as below output.

Code: Select all

root@a10b23c45d67:~# ./bashcheck 
Testing /usr/bin/bash ...
GNU bash, version 4.2.50(2)-release (x86_64-slackware-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Found non-exploitable CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)
root@a10b23c45d67:~#
bashcheck script from donald link:-

Code: Select all

#!/bin/bash

warn() {
	if [ "$scary" == "1" ]; then
		echo -e "\033[91mVulnerable to $1\033[39m"
	else
		echo -e "\033[93mFound non-exploitable $1\033[39m"
	fi
}

good() {
	echo -e "\033[92mNot vulnerable to $1\033[39m"
}

tmpdir=`mktemp -d -t tmp.XXXXXXXX`

[ -n "$1" ] && bash=$(which $1) || bash=$(which bash)
echo -e "\033[95mTesting $bash ..."
echo $($bash --version | head -n 1)
echo -e "\033[39m"

#r=`a="() { echo x;}" $bash -c a 2>/dev/null`
if [ -n "$(env 'a'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[91mVariable function parser active, maybe vulnerable to unknown parser bugs\033[39m"
	scary=1
elif [ -n "$(env 'BASH_FUNC_a%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [%%, upstream], bugs not exploitable\033[39m"
	scary=0
elif [ -n "$(env 'BASH_FUNC_a()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [(), redhat], bugs not exploitable\033[39m"
	scary=0
elif [ -n "$(env 'BASH_FUNC_<a>%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [<..>%%, apple], bugs not exploitable\033[39m"
	scary=0
else
	echo -e "\033[92mVariable function parser inactive, bugs not exploitable\033[39m"
	scary=0
fi


r=`env x="() { :; }; echo x" $bash -c "" 2>/dev/null`
if [ -n "$r" ]; then
	warn "CVE-2014-6271 (original shellshock)"
else
	good "CVE-2014-6271 (original shellshock)"
fi

cd $tmpdir
env x='() { function a a>\' $bash -c echo 2>/dev/null > /dev/null
if [ -e echo ]; then
	warn "CVE-2014-7169 (taviso bug)"
else
	good "CVE-2014-7169 (taviso bug)"
fi

$($bash -c "true $(printf '<<EOF %.0s' {1..80})" 2>$tmpdir/bashcheck.tmp)
ret=$?
grep -q AddressSanitizer $tmpdir/bashcheck.tmp
if [ $? == 0 ] || [ $ret == 139 ]; then
	warn "CVE-2014-7186 (redir_stack bug)"
else
	good "CVE-2014-7186 (redir_stack bug)"
fi


$bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null
if [ $? != 0 ]; then
	warn "CVE-2014-7187 (nested loops off by one)"
else
	echo -e "\033[96mTest for CVE-2014-7187 not reliable without address sanitizer\033[39m"
fi

$($bash -c "f(){ x(){ _;};x(){ _;}<<a;}" 2>/dev/null)
if [ $? != 0 ]; then
	warn "CVE-2014-6277 (lcamtuf bug #1)"
else
	good "CVE-2014-6277 (lcamtuf bug #1)"
fi

if [ -n "$(env x='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
	warn "CVE-2014-6278 (lcamtuf bug #2)"
elif [ -n "$(env BASH_FUNC_x%%='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
	warn "CVE-2014-6278 (lcamtuf bug #2)"
elif [ -n "$(env 'BASH_FUNC_x()'='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
	warn "CVE-2014-6278 (lcamtuf bug #2)"
else
	good "CVE-2014-6278 (lcamtuf bug #2)"
fi

rm -rf $tmpdir

donald
Full of knowledge
Full of knowledge
Posts: 1175
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Bash bug

Post#30 by donald » 10 Oct 2014, 09:25

Hi cttan
Unfortunately slackware has only the bash-patch 50, whereas the newest is 53
which looks much better.

Testing /bin/bash ...
GNU bash, version 4.2.53(2)-release

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)

also the (patch 53) code seems to be better.I had some bash-segfault-messages with
earlier patches. :(

Post Reply