Bash bug

Talk here about security in general. Posting illegals software is prohibited. All stuffs in this forum must be considered as for "Educational purpose only".
neko
DEV Team
DEV Team
Posts: 956
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Re: Bash bug

Post#31 by neko » 11 Oct 2014, 07:14

For 32 bit, version 3.0.1
001-core3.xzm was updated to 001-core4.xzm.

http://www.mediafire.com/download/8goqr ... -core4.xzm
md5sum: 0bcd417e010716db876be750ff6d2889 001-core4.xzm

'bash', the content of 001-core3.xzm, was updated
depending on 32 bit UBUNTU14.04 updating
from the "bash_4.2-2ubuntu2.5_i386" to the "bash_4.2-2ubuntu2.6_i386".

================================================
@Rava
1."is dash working fine for all bash scripts?"
No, there are many issues which were already explained by brokenman.

2."Can it be used for the time being as a complete bash replacement
until the bash shellshock vulnerability issues are solved?"

No, it can not be used as a complete bash replacement.
Because it is too difficult for the "complete bash replacement"
to keep the quality by the short time maintenance.

3."how would one incorporate that?"
001-core.xzm could be replaced, and then be rebooted.

4."are you really running XFCE-v2.0-rc2-i486.iso as your avatar text suggests?"
I updated my avatar profile.

================================================
@donald
results of bashcheck.

[bash of 001-core3.xzm]
Testing /bin/bash ...
GNU bash, version 4.2.25(1)-release (i686-pc-linux-gnu)

Variable function parser pre/suffixed [(), redhat], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)

[bash of 001-core4.xzm]
Testing /home/guest/work/bash/bash_4.2-2ubuntu2.6_i386/bin/bash ...
GNU bash, version 4.2.25(1)-release (i686-pc-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)


Thanks.
Last edited by neko on 12 Oct 2014, 03:26, edited 1 time in total.

User avatar
francois
Contributor
Contributor
Posts: 5068
Joined: 28 Dec 2010, 14:25
Distribution: kde xfce porteus manjaro kubun
Location: Enfin l'été, le changement climatique attendu: le soleil.

Re: Bash bug

Post#32 by francois » 11 Oct 2014, 12:11

@donald:
Thanks for the bash tester.

@neko:
Thanks for the new core module. It does pass the test.
Voltaire: Le mieux est l'ennemi du bien.

User avatar
Rava
Contributor
Contributor
Posts: 1319
Joined: 11 Jan 2011, 02:46
Distribution: Porteus 3.1.0 x86-64 XFCe
Location: Germany

Re: Bash bug

Post#33 by Rava » 11 Oct 2014, 21:30

@Neko

Thanks for the info.

How do you implement updates newer than bash-4.2.050?
That's the newest txz I found. Me thinks the newer updates have to be merged into the source code and bash needs to be compiled, or am I wrong here?

Cause this is what I get running the newest available slackware patch-level on x86-64:
# bashcheck
Testing /usr/bin/bash ...
GNU bash, version 4.2.50(2)-release (x86_64-slackware-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Found non-exploitable CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)
Cheers!
Yours Rava

neko
DEV Team
DEV Team
Posts: 956
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Re: Bash bug

Post#34 by neko » 12 Oct 2014, 03:25

@Rava
Creating 001-core4.xzm was done as following steps.

1.get bash_4.2-2ubuntu2.6_i386.deb from
the updated newest 32 bit UBUNTU14.04 by synaptic.

2.get libtinfo.so.5.9 by USM or other tool.

3.expand bash_4.2-2ubuntu2.6_i386.deb by commands under root privilege.

# ar x bash_4.2-2ubuntu2.6_i386.deb
# mv data.tar.gz bash_4.2-2ubuntu2.6_i386.tgz
# tar -xzf control.tar.gz

4.create "PACKAGE DESCRIPTION:" text.

# echo "bash_4.2-2ubuntu2.6_i386: " > bash_4.2-2ubuntu2.6_i386.txt
# cat control | sed "s/^/bash_4.2-2ubuntu2.6_i386: /g" >> bash_4.2-2ubuntu2.6_i386.txt
# echo "bash_4.2-2ubuntu2.6_i386: " >> bash_4.2-2ubuntu2.6_i386.txt

5.install bash_4.2-2ubuntu2.6_i386.tgz into temporary root.

# mkdir root
# installpkg -root root bash_4.2-2ubuntu2.6_i386.tgz
# cd root/bin
# ln -sf bash sh
# cd ../..
# cd root/usr/bin
# ln -sf ../../bin/bash .
# cd ../../..
# mkdir -p root/lib
# mv libtinfo.so.5.9 root/lib/.
# cd root/lib
# ln -sf libtinfo.so.5.9 libtinfo.so.5
# cd ../..

7.create 001-core4.xzm

# mloop 001-core.xzm
# mkdir new
# cp -a /mnt/loop/* new/.
# uloop
# cp -a root/* new/.
# mksquashfs new 001-core4.xzm -b 256K -comp xz -Xbcj x86

Thanks.

neko
DEV Team
DEV Team
Posts: 956
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Re: Bash bug

Post#35 by neko » 12 Oct 2014, 06:02

@Rava

A sample 64 bit 001-core4.xzm was uploaded.
'sample' means that this 001-core4.xzm was not tested
because I do not have 64 bit PC now.

http://www.mediafire.com/download/faety ... -core4.xzm
md5sum: 61f6704ac7885b2e909775451982b0f4 001-core4.xzm

Thanks.
============================================
bash_4.3-7ubuntu1.5_amd64.deb was gotten from the site
http://pkgs.org/search/bash

libtinfo.so.5.9 was gotten from the ISO
Porteus-FVWM-v3.0.1-x86_64-2.iso

slack_distros_rock
White ninja
White ninja
Posts: 5
Joined: 30 Sep 2014, 18:28
Distribution: Porteus 3 KDE4, Slacko 5.7
Location: U.S.A.

Re: Bash bug

Post#36 by slack_distros_rock » 14 Oct 2014, 14:40

neko wrote:@Rava

A sample 64 bit 001-core4.xzm was uploaded.
'sample' means that this 001-core4.xzm was not tested
because I do not have 64 bit PC now.

http://www.mediafire.com/download/faety ... -core4.xzm
md5sum: 61f6704ac7885b2e909775451982b0f4 001-core4.xzm

Thanks.
============================================
bash_4.3-7ubuntu1.5_amd64.deb was gotten from the site
http://pkgs.org/search/bash

libtinfo.so.5.9 was gotten from the ISO
Porteus-FVWM-v3.0.1-x86_64-2.iso

I have a new 3.0.1 KDE4 64 install where I replaced the 001-core with the 001-core4.

Now

Code: Select all

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
gives

Code: Select all

this is a test
while before it gave

Code: Select all

vulnerable
The system works same as before- thanks!
...McLuhan coined and certainly popularized the usage of the term "surfing" to refer to rapid, irregular and multidirectional movement through a heterogeneous body of documents or knowledge...

Wikipedia on Marshall McLuhan

donald
Full of knowledge
Full of knowledge
Posts: 1217
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Bash bug

Post#37 by donald » 14 Oct 2014, 22:13

@slack_distros_rock

It would be more meaningful to test against all (so far known) vulnerabilities.
Not just one.. :wink:

User avatar
Rava
Contributor
Contributor
Posts: 1319
Joined: 11 Jan 2011, 02:46
Distribution: Porteus 3.1.0 x86-64 XFCe
Location: Germany

Re: Bash bug

Post#38 by Rava » 15 Oct 2014, 06:55

donald wrote:It would be more meaningful to test against all (so far known) vulnerabilities.
Not just one.. :wink:
Is there a script that does just that? I just run the "bashcheck" one... but sadly, it seems not to have any version info in it.

Does "bashcheck" enough to be called "test against all (so far known) vulnerabilities"?
______________________________________________________

slack_distros_rock :
Checking out your 001-core4.xzm soon...
______________________________________________________

How best does one make an comparison of what was changed in a module?
xzm2copy both into separate folders, and then run md5sum on all files but symlinks?
Is there already a script or cli one-liner that does just that?
Or is a different approach than md5sum'em'all better?
______________________________________________________

Strange enough, with my current system, that is 001-core_bash-4.2.050 ... there is a difference in what bashcheck reports.
When I run it as root in XFCe terminal, I get this:

Code: Select all

Found non-exploitable CVE-2014-7186 (redir_stack bug)
but when I run it as normal user in XFCe terminal, I get this:

Code: Select all

Not vulnerable to CVE-2014-7186 (redir_stack bug)
(All the rest of the output is identical)

Any ideas why that differs? Not happy that root, of all users, has a higher vulnerability (even when the script tells me "non-exploitable" than normal user...

And ideas why that could be?
Cheers!
Yours Rava

donald
Full of knowledge
Full of knowledge
Posts: 1217
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Bash bug

Post#39 by donald » 15 Oct 2014, 11:05

@Rava
Is there a script that does just that?
The linked page explains which vulnerabilities are checked by "bashcheck"
..not to have any version info in it.
???
.. there is a difference in what bashcheck reports.
Not on my end, with original slackware patch:

Code: Select all

guest@porteus:~$ ./bashcheck
Testing /usr/bin/bash ...
GNU bash, Version 4.2.50(2)-release (i486-slackware-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)
guest@porteus:~$ su
Passwort: 
root@porteus:~# cd /home/guest
root@porteus:/home/guest# ./bashcheck
Testing /usr/bin/bash ...
GNU bash, Version 4.2.50(2)-release (i486-slackware-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)
root@porteus:/home/guest# 
The updated core4.xzm (by neko btw) was built with packages from ubuntu.....

slack_distros_rock
White ninja
White ninja
Posts: 5
Joined: 30 Sep 2014, 18:28
Distribution: Porteus 3 KDE4, Slacko 5.7
Location: U.S.A.

Re: Bash bug

Post#40 by slack_distros_rock » 15 Oct 2014, 18:16

@ donald

@ rava

I used the latest bashcheck and

Code: Select all

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)
neko's 64 bit module is ok
...McLuhan coined and certainly popularized the usage of the term "surfing" to refer to rapid, irregular and multidirectional movement through a heterogeneous body of documents or knowledge...

Wikipedia on Marshall McLuhan

User avatar
Rava
Contributor
Contributor
Posts: 1319
Joined: 11 Jan 2011, 02:46
Distribution: Porteus 3.1.0 x86-64 XFCe
Location: Germany

Re: Bash bug

Post#41 by Rava » 16 Oct 2014, 11:33

^
Indeed, after restart I got the same result. Just could not post, my power supply went bonkers and I had to shut down the PC... :(

@neko
Could you please include the newest usm in your (x86-64 & x686) 001-core4.xzm?

Or do you - and all others - also include the usm-3.1.6-noarch-1.xzm module?
Cheers!
Yours Rava

User avatar
brokenman
Site Admin
Site Admin
Posts: 5555
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: Bash bug

Post#42 by brokenman » 16 Oct 2014, 14:13

usm-3.1.7 will be out this weekend.
How do i become super user?
Wear your underpants on the outside and put on a cape.

neko
DEV Team
DEV Team
Posts: 956
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Re: Bash bug

Post#43 by neko » 16 Oct 2014, 16:30

@ Rava
usm-latest-0.0-noarch-1 of both 001-core4.xzms will be updated to usm-3.1.7.

Thanks.

@brokenman
Thank you for your good timing post.

User avatar
Rava
Contributor
Contributor
Posts: 1319
Joined: 11 Jan 2011, 02:46
Distribution: Porteus 3.1.0 x86-64 XFCe
Location: Germany

Re: Bash bug

Post#44 by Rava » 16 Oct 2014, 19:31

^ & ^^

So, sometime end of weekend, or beginning of next week, we will get core5.xzm with newest usm 3.1.7? Yay! :Yahoo!:
Cheers!
Yours Rava

User avatar
Ed_P
Contributor
Contributor
Posts: 3316
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 3.2.2 64-bit ISO
Location: Western NY, USA

Re: Bash bug

Post#45 by Ed_P » 17 Oct 2014, 04:05

I would think the 3.1 001-core.xzm module would include the bash bug fix(s) rather than a separate addon module.
Ed

Post Reply