Bash bug

Talk here about security in general. Posting illegals software is prohibited. All stuffs in this forum must be considered as for "Educational purpose only".
User avatar
Ed_P
Contributor
Contributor
Posts: 8341
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 5.01 ISO
Location: Western NY, USA

Bash bug

Post#1 by Ed_P » 25 Sep 2014, 03:45

Any one interested in this news article?

New 'Bash' software bug may pose bigger threat than 'Heartbleed'

http://news.yahoo.com/bash-software-bug ... 20708.html
Ed

dacq
Black ninja
Black ninja
Posts: 31
Joined: 13 Dec 2013, 19:00
Distribution: 2.1
Location: uk

Re: Bash bug

Post#2 by dacq » 25 Sep 2014, 19:03

For the time being you could try the zsh shell, which has been kept up to date & has improvements over bash:
http://zsh.sourceforge.net/

User avatar
snake
White ninja
White ninja
Posts: 14
Joined: 29 Dec 2010, 10:02
Distribution: Porteus-v3.1 64bit KDE
Location: Finland

Re: Bash bug

Post#3 by snake » 25 Sep 2014, 19:04

Yep, that bug works on Porteus too, so if you are using Porteus as webserver, sshd server, etc. fix it right now.

Test with:

Code: Select all

 env x='() { :;}; echo vulnerable' bash -c 'echo hello'
Fix:
http://mirrors.slackware.com/slackware/ ... ck14.1.txz

BTW, I tried to install it with usm, however did not succeed.

Code: Select all

usm -s bash
show slackwarepatch repository:

Code: Select all

bash-4.2.045-x86_64-1.txz was found in slackware
bash-4.2.048-x86_64-1_slack14.1.txz was found in slackwarepatches
Packages found:   2 
However with get

Code: Select all

usm -g bash
show only the first one and not patch repository. My USM should be latest 3.1.6. with recent -u all. Do you get same problem?

You can manually install fix by (as a root):

Code: Select all

 wget http://mirrors.slackware.com/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-1_slack14.1.txz
 txz2xzm bash-4.2.*
 activate bash-4.2*xzm

dacq
Black ninja
Black ninja
Posts: 31
Joined: 13 Dec 2013, 19:00
Distribution: 2.1
Location: uk

Re: Bash bug

Post#4 by dacq » 25 Sep 2014, 19:08

Or there is fish, pre-compiled for various distros & also works for Mac:
http://fishshell.com/

User avatar
snake
White ninja
White ninja
Posts: 14
Joined: 29 Dec 2010, 10:02
Distribution: Porteus-v3.1 64bit KDE
Location: Finland

Re: Bash bug

Post#5 by snake » 25 Sep 2014, 19:14


User avatar
francois
Contributor
Contributor
Posts: 6434
Joined: 28 Dec 2010, 14:25
Distribution: xfce plank porteus nemesis
Location: Le printemps, le printemps, le printemps... ... l'hiver s'essoufle.

Re: Bash bug

Post#6 by francois » 25 Sep 2014, 21:55

@snake:
So I can conclude that if I am using bash only for internal manipulations, that is that I stay within my linux box, there is no threat? :)
Prendre son temps, profiter de celui qui passe.

User avatar
Ed_P
Contributor
Contributor
Posts: 8341
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 5.01 ISO
Location: Western NY, USA

Re: Bash bug

Post#7 by Ed_P » 25 Sep 2014, 21:58

snake wrote: You can manually install fix by (as a root):

Code: Select all

 wget http://mirrors.slackware.com/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-1_slack14.1.txz
 txz2xzm bash-4.2.*
 activate bash-4.2*xzm
Thanks snake.

Interesting articles guys.
Ed

User avatar
Ed_P
Contributor
Contributor
Posts: 8341
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 5.01 ISO
Location: Western NY, USA

Re: Bash bug

Post#8 by Ed_P » 25 Sep 2014, 23:54

Oh oh, didn't work.

Code: Select all

--2014-09-25 19:47:13--  http://mirrors.slackware.com/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-1_slack14.1.txz
Resolving mirrors.slackware.com (mirrors.slackware.com)... 207.223.116.213
Connecting to mirrors.slackware.com (mirrors.slackware.com)|207.223.116.213|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-09-25 19:47:14 ERROR 404: Not Found.
=update=

File needs to be bash-4.2.048-x86_64-2_slack14.1.txz not bash-4.2.048-x86_64-1_slack14.1.txz. It can be found here also: ftp://ftp.slackware.com/pub/slackware/s ... /packages/
Ed

User avatar
snake
White ninja
White ninja
Posts: 14
Joined: 29 Dec 2010, 10:02
Distribution: Porteus-v3.1 64bit KDE
Location: Finland

Re: Bash bug

Post#9 by snake » 26 Sep 2014, 08:08

Ed_P wrote:Oh oh, didn't work.

Code: Select all

--2014-09-25 19:47:13--  http://mirrors.slackware.com/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-1_slack14.1.txz
Resolving mirrors.slackware.com (mirrors.slackware.com)... 207.223.116.213
Connecting to mirrors.slackware.com (mirrors.slackware.com)|207.223.116.213|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-09-25 19:47:14 ERROR 404: Not Found.
=update=

File needs to be bash-4.2.048-x86_64-2_slack14.1.txz not bash-4.2.048-x86_64-1_slack14.1.txz. It can be found here also: ftp://ftp.slackware.com/pub/slackware/s ... /packages/
Yes, the first update link that was available ( and I sent) was not fully fixing the issue therefore now removed. Correct one is that http://mirrors.slackware.com/slackware/ ... ck14.1.txz

User avatar
snake
White ninja
White ninja
Posts: 14
Joined: 29 Dec 2010, 10:02
Distribution: Porteus-v3.1 64bit KDE
Location: Finland

Re: Bash bug

Post#10 by snake » 26 Sep 2014, 08:42

francois wrote:@snake:
So I can conclude that if I am using bash only for internal manipulations, that is that I stay within my linux box, there is no threat? :)
Well maybe yes, however I suggest to update bash as it might be possible to do nasty tricks with this one. For example:
https://www.trustedsec.com/september-20 ... f-concept/ where DHCP server gives bad code to clients that happily run given script as a root. For example, if your router with dhcpd is compromised, it can give nasty scripts to all the machines asking for local network address from them. Many of routers, wlan accesspoints, "smart" tv:s has nowdays linux and some kind of webserver as frontend so that might be even bigger issue for those (mainly because those are updated rarely or there is no update available at all anymore). There is a nice discussion of other possible threads in https://news.ycombinator.com/item?id=8369443 comments. In practice it is related to anything that uses scripts and bash for doing things. Especially those scripts that run as root, and there are several of those in Linux and OSX devices. I don't know details if this works with other *sh:s.

User avatar
brokenman
Site Admin
Site Admin
Posts: 6105
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v4 all desktops
Location: Brazil

Re: Bash bug

Post#11 by brokenman » 26 Sep 2014, 14:41

Thanks snake. This is quite a low level core vulnerability and the attack vectors are very wide. Just another damn good reason why people shouldn't run as root.
How do i become super user?
Wear your underpants on the outside and put on a cape.

ElectriQT
Samurai
Samurai
Posts: 116
Joined: 10 Nov 2013, 12:02
Distribution: LXDE3.5Manjaro, LXDE3.01-32bit
Location: Sweden

Re: Bash bug

Post#12 by ElectriQT » 30 Sep 2014, 15:31

Hi Brokenman,
when will it be possible to do an USM-update?


And, Thank you Snake.

User avatar
brokenman
Site Admin
Site Admin
Posts: 6105
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v4 all desktops
Location: Brazil

Re: Bash bug

Post#13 by brokenman » 30 Sep 2014, 16:57

I haven't done much on USM since the beginning of this month. Been busy with next release. You can now update the database to get this patch if you wish.

Code: Select all

usm -u slackwarepatches
usm -g bash
How do i become super user?
Wear your underpants on the outside and put on a cape.

neko
DEV Team
DEV Team
Posts: 2109
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Re: Bash bug

Post#14 by neko » 03 Oct 2014, 12:29

For 32 bit, version 3.0.1
001-core.xzm was updated to 001-core2.xzm.

http://www.mediafire.com/download/kcp5z ... -core2.xzm
md5sum: 13cb1f8dec29da0839bfcefe61908fd2 001-core2.xzm

'bash', the content of 001-core.xzm, was updated to fix the "Shellshock" problem.

Please refer
http://www.thegeekstuff.com/2014/09/bas ... 2014-7169/

bour59
Samurai
Samurai
Posts: 181
Joined: 29 Dec 2010, 08:10
Distribution: porteus v5.0-xfce K5.19.7
Location: France

Re: Bash bug

Post#15 by bour59 » 04 Oct 2014, 13:36

@neko
hello, with your module I get the error:
/bin/bash missing share library libtinfo.so.5
@brokenman
all's ok with creating the corrective with usm

Post Reply