Bash bug

Talk here about security in general. Posting illegals software is prohibited. All stuffs in this forum must be considered as for "Educational purpose only".
neko
Contributor
Contributor
Posts: 916
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Re: Bash bug

Post#31 by neko » 11 Oct 2014, 07:14

For 32 bit, version 3.0.1
001-core3.xzm was updated to 001-core4.xzm.

http://www.mediafire.com/download/8goqr ... -core4.xzm
md5sum: 0bcd417e010716db876be750ff6d2889 001-core4.xzm

'bash', the content of 001-core3.xzm, was updated
depending on 32 bit UBUNTU14.04 updating
from the "bash_4.2-2ubuntu2.5_i386" to the "bash_4.2-2ubuntu2.6_i386".

================================================
@Rava
1."is dash working fine for all bash scripts?"
No, there are many issues which were already explained by brokenman.

2."Can it be used for the time being as a complete bash replacement
until the bash shellshock vulnerability issues are solved?"

No, it can not be used as a complete bash replacement.
Because it is too difficult for the "complete bash replacement"
to keep the quality by the short time maintenance.

3."how would one incorporate that?"
001-core.xzm could be replaced, and then be rebooted.

4."are you really running XFCE-v2.0-rc2-i486.iso as your avatar text suggests?"
I updated my avatar profile.

================================================
@donald
results of bashcheck.

[bash of 001-core3.xzm]
Testing /bin/bash ...
GNU bash, version 4.2.25(1)-release (i686-pc-linux-gnu)

Variable function parser pre/suffixed [(), redhat], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)

[bash of 001-core4.xzm]
Testing /home/guest/work/bash/bash_4.2-2ubuntu2.6_i386/bin/bash ...
GNU bash, version 4.2.25(1)-release (i686-pc-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)


Thanks.
Last edited by neko on 12 Oct 2014, 03:26, edited 1 time in total.

User avatar
francois
Contributor
Contributor
Posts: 4946
Joined: 28 Dec 2010, 14:25
Distribution: kde xfce porteus manjaro kubun
Location: Enfin l'été, le changement climatique attendu: le soleil.

Re: Bash bug

Post#32 by francois » 11 Oct 2014, 12:11

@donald:
Thanks for the bash tester.

@neko:
Thanks for the new core module. It does pass the test.
Voltaire: Le mieux est l'ennemi du bien.

User avatar
Rava
Contributor
Contributor
Posts: 1319
Joined: 11 Jan 2011, 02:46
Distribution: Porteus 3.1.0 x86-64 XFCe
Location: Germany

Re: Bash bug

Post#33 by Rava » 11 Oct 2014, 21:30

@Neko

Thanks for the info.

How do you implement updates newer than bash-4.2.050?
That's the newest txz I found. Me thinks the newer updates have to be merged into the source code and bash needs to be compiled, or am I wrong here?

Cause this is what I get running the newest available slackware patch-level on x86-64:
# bashcheck
Testing /usr/bin/bash ...
GNU bash, version 4.2.50(2)-release (x86_64-slackware-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Found non-exploitable CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)
Cheers!
Yours Rava

neko
Contributor
Contributor
Posts: 916
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Re: Bash bug

Post#34 by neko » 12 Oct 2014, 03:25

@Rava
Creating 001-core4.xzm was done as following steps.

1.get bash_4.2-2ubuntu2.6_i386.deb from
the updated newest 32 bit UBUNTU14.04 by synaptic.

2.get libtinfo.so.5.9 by USM or other tool.

3.expand bash_4.2-2ubuntu2.6_i386.deb by commands under root privilege.

# ar x bash_4.2-2ubuntu2.6_i386.deb
# mv data.tar.gz bash_4.2-2ubuntu2.6_i386.tgz
# tar -xzf control.tar.gz

4.create "PACKAGE DESCRIPTION:" text.

# echo "bash_4.2-2ubuntu2.6_i386: " > bash_4.2-2ubuntu2.6_i386.txt
# cat control | sed "s/^/bash_4.2-2ubuntu2.6_i386: /g" >> bash_4.2-2ubuntu2.6_i386.txt
# echo "bash_4.2-2ubuntu2.6_i386: " >> bash_4.2-2ubuntu2.6_i386.txt

5.install bash_4.2-2ubuntu2.6_i386.tgz into temporary root.

# mkdir root
# installpkg -root root bash_4.2-2ubuntu2.6_i386.tgz
# cd root/bin
# ln -sf bash sh
# cd ../..
# cd root/usr/bin
# ln -sf ../../bin/bash .
# cd ../../..
# mkdir -p root/lib
# mv libtinfo.so.5.9 root/lib/.
# cd root/lib
# ln -sf libtinfo.so.5.9 libtinfo.so.5
# cd ../..

7.create 001-core4.xzm

# mloop 001-core.xzm
# mkdir new
# cp -a /mnt/loop/* new/.
# uloop
# cp -a root/* new/.
# mksquashfs new 001-core4.xzm -b 256K -comp xz -Xbcj x86

Thanks.

neko
Contributor
Contributor
Posts: 916
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Re: Bash bug

Post#35 by neko » 12 Oct 2014, 06:02

@Rava

A sample 64 bit 001-core4.xzm was uploaded.
'sample' means that this 001-core4.xzm was not tested
because I do not have 64 bit PC now.

http://www.mediafire.com/download/faety ... -core4.xzm
md5sum: 61f6704ac7885b2e909775451982b0f4 001-core4.xzm

Thanks.
============================================
bash_4.3-7ubuntu1.5_amd64.deb was gotten from the site
http://pkgs.org/search/bash

libtinfo.so.5.9 was gotten from the ISO
Porteus-FVWM-v3.0.1-x86_64-2.iso

slack_distros_rock
White ninja
White ninja
Posts: 5
Joined: 30 Sep 2014, 18:28
Distribution: Porteus 3 KDE4, Slacko 5.7
Location: U.S.A.

Re: Bash bug

Post#36 by slack_distros_rock » 14 Oct 2014, 14:40

neko wrote:@Rava

A sample 64 bit 001-core4.xzm was uploaded.
'sample' means that this 001-core4.xzm was not tested
because I do not have 64 bit PC now.

http://www.mediafire.com/download/faety ... -core4.xzm
md5sum: 61f6704ac7885b2e909775451982b0f4 001-core4.xzm

Thanks.
============================================
bash_4.3-7ubuntu1.5_amd64.deb was gotten from the site
http://pkgs.org/search/bash

libtinfo.so.5.9 was gotten from the ISO
Porteus-FVWM-v3.0.1-x86_64-2.iso

I have a new 3.0.1 KDE4 64 install where I replaced the 001-core with the 001-core4.

Now

Code: Select all

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
gives

Code: Select all

this is a test
while before it gave

Code: Select all

vulnerable
The system works same as before- thanks!
...McLuhan coined and certainly popularized the usage of the term "surfing" to refer to rapid, irregular and multidirectional movement through a heterogeneous body of documents or knowledge...

Wikipedia on Marshall McLuhan

donald
Full of knowledge
Full of knowledge
Posts: 1161
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Bash bug

Post#37 by donald » 14 Oct 2014, 22:13

@slack_distros_rock

It would be more meaningful to test against all (so far known) vulnerabilities.
Not just one.. :wink:

User avatar
Rava
Contributor
Contributor
Posts: 1319
Joined: 11 Jan 2011, 02:46
Distribution: Porteus 3.1.0 x86-64 XFCe
Location: Germany

Re: Bash bug

Post#38 by Rava » 15 Oct 2014, 06:55

donald wrote:It would be more meaningful to test against all (so far known) vulnerabilities.
Not just one.. :wink:
Is there a script that does just that? I just run the "bashcheck" one... but sadly, it seems not to have any version info in it.

Does "bashcheck" enough to be called "test against all (so far known) vulnerabilities"?
______________________________________________________

slack_distros_rock :
Checking out your 001-core4.xzm soon...
______________________________________________________

How best does one make an comparison of what was changed in a module?
xzm2copy both into separate folders, and then run md5sum on all files but symlinks?
Is there already a script or cli one-liner that does just that?
Or is a different approach than md5sum'em'all better?
______________________________________________________

Strange enough, with my current system, that is 001-core_bash-4.2.050 ... there is a difference in what bashcheck reports.
When I run it as root in XFCe terminal, I get this:

Code: Select all

Found non-exploitable CVE-2014-7186 (redir_stack bug)
but when I run it as normal user in XFCe terminal, I get this:

Code: Select all

Not vulnerable to CVE-2014-7186 (redir_stack bug)
(All the rest of the output is identical)

Any ideas why that differs? Not happy that root, of all users, has a higher vulnerability (even when the script tells me "non-exploitable" than normal user...

And ideas why that could be?
Cheers!
Yours Rava

donald
Full of knowledge
Full of knowledge
Posts: 1161
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Bash bug

Post#39 by donald » 15 Oct 2014, 11:05

@Rava
Is there a script that does just that?
The linked page explains which vulnerabilities are checked by "bashcheck"
..not to have any version info in it.
???
.. there is a difference in what bashcheck reports.
Not on my end, with original slackware patch:

Code: Select all

guest@porteus:~$ ./bashcheck
Testing /usr/bin/bash ...
GNU bash, Version 4.2.50(2)-release (i486-slackware-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)
guest@porteus:~$ su
Passwort: 
root@porteus:~# cd /home/guest
root@porteus:/home/guest# ./bashcheck
Testing /usr/bin/bash ...
GNU bash, Version 4.2.50(2)-release (i486-slackware-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)
root@porteus:/home/guest# 
The updated core4.xzm (by neko btw) was built with packages from ubuntu.....

slack_distros_rock
White ninja
White ninja
Posts: 5
Joined: 30 Sep 2014, 18:28
Distribution: Porteus 3 KDE4, Slacko 5.7
Location: U.S.A.

Re: Bash bug

Post#40 by slack_distros_rock » 15 Oct 2014, 18:16

@ donald

@ rava

I used the latest bashcheck and

Code: Select all

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)
neko's 64 bit module is ok
...McLuhan coined and certainly popularized the usage of the term "surfing" to refer to rapid, irregular and multidirectional movement through a heterogeneous body of documents or knowledge...

Wikipedia on Marshall McLuhan

User avatar
Rava
Contributor
Contributor
Posts: 1319
Joined: 11 Jan 2011, 02:46
Distribution: Porteus 3.1.0 x86-64 XFCe
Location: Germany

Re: Bash bug

Post#41 by Rava » 16 Oct 2014, 11:33

^
Indeed, after restart I got the same result. Just could not post, my power supply went bonkers and I had to shut down the PC... :(

@neko
Could you please include the newest usm in your (x86-64 & x686) 001-core4.xzm?

Or do you - and all others - also include the usm-3.1.6-noarch-1.xzm module?
Cheers!
Yours Rava

User avatar
brokenman
Site Admin
Site Admin
Posts: 5456
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: Bash bug

Post#42 by brokenman » 16 Oct 2014, 14:13

usm-3.1.7 will be out this weekend.
How do i become super user?
Wear your underpants on the outside and put on a cape.

neko
Contributor
Contributor
Posts: 916
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Re: Bash bug

Post#43 by neko » 16 Oct 2014, 16:30

@ Rava
usm-latest-0.0-noarch-1 of both 001-core4.xzms will be updated to usm-3.1.7.

Thanks.

@brokenman
Thank you for your good timing post.

User avatar
Rava
Contributor
Contributor
Posts: 1319
Joined: 11 Jan 2011, 02:46
Distribution: Porteus 3.1.0 x86-64 XFCe
Location: Germany

Re: Bash bug

Post#44 by Rava » 16 Oct 2014, 19:31

^ & ^^

So, sometime end of weekend, or beginning of next week, we will get core5.xzm with newest usm 3.1.7? Yay! :Yahoo!:
Cheers!
Yours Rava

User avatar
Ed_P
Contributor
Contributor
Posts: 3160
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 3.2.2 64-bit ISO
Location: Western NY, USA

Re: Bash bug

Post#45 by Ed_P » 17 Oct 2014, 04:05

I would think the 3.1 001-core.xzm module would include the bash bug fix(s) rather than a separate addon module.
Ed

Post Reply