Page 1 of 4
Bash bug
Posted: 25 Sep 2014, 03:45
by Ed_P
Any one interested in this news article?
New 'Bash' software bug may pose bigger threat than 'Heartbleed'
http://news.yahoo.com/bash-software-bug ... 20708.html
Re: Bash bug
Posted: 25 Sep 2014, 19:03
by dacq
For the time being you could try the zsh shell, which has been kept up to date & has improvements over bash:
http://zsh.sourceforge.net/
Re: Bash bug
Posted: 25 Sep 2014, 19:04
by snake
Yep, that bug works on Porteus too, so if you are using Porteus as webserver, sshd server, etc. fix it right now.
Test with:
Code: Select all
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
Fix:
http://mirrors.slackware.com/slackware/ ... ck14.1.txz
BTW, I tried to install it with usm, however did not succeed.
show slackwarepatch repository:
Code: Select all
bash-4.2.045-x86_64-1.txz was found in slackware
bash-4.2.048-x86_64-1_slack14.1.txz was found in slackwarepatches
Packages found: 2
However with get
show only the first one and not patch repository. My USM should be latest 3.1.6. with recent -u all. Do you get same problem?
You can manually install fix by (as a root):
Code: Select all
wget http://mirrors.slackware.com/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-1_slack14.1.txz
txz2xzm bash-4.2.*
activate bash-4.2*xzm
Re: Bash bug
Posted: 25 Sep 2014, 19:08
by dacq
Or there is fish, pre-compiled for various distros & also works for Mac:
http://fishshell.com/
Re: Bash bug
Posted: 25 Sep 2014, 19:14
by snake
Re: Bash bug
Posted: 25 Sep 2014, 21:55
by francois
@snake:
So I can conclude that if I am using bash only for internal manipulations, that is that I stay within my linux box, there is no threat?
Re: Bash bug
Posted: 25 Sep 2014, 21:58
by Ed_P
snake wrote:
You can manually install fix by (as a root):
Code: Select all
wget http://mirrors.slackware.com/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-1_slack14.1.txz
txz2xzm bash-4.2.*
activate bash-4.2*xzm
Thanks
snake.
Interesting articles guys.
Re: Bash bug
Posted: 25 Sep 2014, 23:54
by Ed_P
Oh oh, didn't work.
Code: Select all
--2014-09-25 19:47:13-- http://mirrors.slackware.com/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-1_slack14.1.txz
Resolving mirrors.slackware.com (mirrors.slackware.com)... 207.223.116.213
Connecting to mirrors.slackware.com (mirrors.slackware.com)|207.223.116.213|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-09-25 19:47:14 ERROR 404: Not Found.
=update=
File needs to be bash-4.2.048-x86_64-
2_slack14.1.txz not bash-4.2.048-x86_64-1_slack14.1.txz. It can be found here also:
ftp://ftp.slackware.com/pub/slackware/s ... /packages/
Re: Bash bug
Posted: 26 Sep 2014, 08:08
by snake
Ed_P wrote:Oh oh, didn't work.
Code: Select all
--2014-09-25 19:47:13-- http://mirrors.slackware.com/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-1_slack14.1.txz
Resolving mirrors.slackware.com (mirrors.slackware.com)... 207.223.116.213
Connecting to mirrors.slackware.com (mirrors.slackware.com)|207.223.116.213|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-09-25 19:47:14 ERROR 404: Not Found.
=update=
File needs to be bash-4.2.048-x86_64-
2_slack14.1.txz not bash-4.2.048-x86_64-1_slack14.1.txz. It can be found here also:
ftp://ftp.slackware.com/pub/slackware/s ... /packages/
Yes, the first update link that was available ( and I sent) was not fully fixing the issue therefore now removed. Correct one is that
http://mirrors.slackware.com/slackware/ ... ck14.1.txz
Re: Bash bug
Posted: 26 Sep 2014, 08:42
by snake
francois wrote:@snake:
So I can conclude that if I am using bash only for internal manipulations, that is that I stay within my linux box, there is no threat?
Well maybe yes, however I suggest to update bash as it might be possible to do nasty tricks with this one. For example:
https://www.trustedsec.com/september-20 ... f-concept/ where DHCP server gives bad code to clients that happily run given script as a root. For example, if your router with dhcpd is compromised, it can give nasty scripts to all the machines asking for local network address from them. Many of routers, wlan accesspoints, "smart" tv:s has nowdays linux and some kind of webserver as frontend so that might be even bigger issue for those (mainly because those are updated rarely or there is no update available at all anymore). There is a nice discussion of other possible threads in
https://news.ycombinator.com/item?id=8369443 comments. In practice it is related to anything that uses scripts and bash for doing things. Especially those scripts that run as root, and there are several of those in Linux and OSX devices. I don't know details if this works with other *sh:s.
Re: Bash bug
Posted: 26 Sep 2014, 14:41
by brokenman
Thanks snake. This is quite a low level core vulnerability and the attack vectors are very wide. Just another damn good reason why people shouldn't run as root.
Re: Bash bug
Posted: 30 Sep 2014, 15:31
by ElectriQT
Hi Brokenman,
when will it be possible to do an USM-update?
And, Thank you Snake.
Re: Bash bug
Posted: 30 Sep 2014, 16:57
by brokenman
I haven't done much on USM since the beginning of this month. Been busy with next release. You can now update the database to get this patch if you wish.
Code: Select all
usm -u slackwarepatches
usm -g bash
Re: Bash bug
Posted: 03 Oct 2014, 12:29
by neko
For 32 bit, version 3.0.1
001-core.xzm was updated to 001-core2.xzm.
http://www.mediafire.com/download/kcp5z ... -core2.xzm
md5sum: 13cb1f8dec29da0839bfcefe61908fd2 001-core2.xzm
'bash', the content of 001-core.xzm, was updated to fix the "Shellshock" problem.
Please refer
http://www.thegeekstuff.com/2014/09/bas ... 2014-7169/
Re: Bash bug
Posted: 04 Oct 2014, 13:36
by bour59
@neko
hello, with your module I get the error:
/bin/bash missing share library libtinfo.so.5
@brokenman
all's ok with creating the corrective with usm