Page 1 of 4

Bash bug

Posted: 25 Sep 2014, 03:45
by Ed_P
Any one interested in this news article?

New 'Bash' software bug may pose bigger threat than 'Heartbleed'

http://news.yahoo.com/bash-software-bug ... 20708.html

Re: Bash bug

Posted: 25 Sep 2014, 19:03
by dacq
For the time being you could try the zsh shell, which has been kept up to date & has improvements over bash:
http://zsh.sourceforge.net/

Re: Bash bug

Posted: 25 Sep 2014, 19:04
by snake
Yep, that bug works on Porteus too, so if you are using Porteus as webserver, sshd server, etc. fix it right now.

Test with:

Code: Select all

 env x='() { :;}; echo vulnerable' bash -c 'echo hello'
Fix:
http://mirrors.slackware.com/slackware/ ... ck14.1.txz

BTW, I tried to install it with usm, however did not succeed.

Code: Select all

usm -s bash
show slackwarepatch repository:

Code: Select all

bash-4.2.045-x86_64-1.txz was found in slackware
bash-4.2.048-x86_64-1_slack14.1.txz was found in slackwarepatches
Packages found:   2 
However with get

Code: Select all

usm -g bash
show only the first one and not patch repository. My USM should be latest 3.1.6. with recent -u all. Do you get same problem?

You can manually install fix by (as a root):

Code: Select all

 wget http://mirrors.slackware.com/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-1_slack14.1.txz
 txz2xzm bash-4.2.*
 activate bash-4.2*xzm

Re: Bash bug

Posted: 25 Sep 2014, 19:08
by dacq
Or there is fish, pre-compiled for various distros & also works for Mac:
http://fishshell.com/

Re: Bash bug

Posted: 25 Sep 2014, 19:14
by snake

Re: Bash bug

Posted: 25 Sep 2014, 21:55
by francois
@snake:
So I can conclude that if I am using bash only for internal manipulations, that is that I stay within my linux box, there is no threat? :)

Re: Bash bug

Posted: 25 Sep 2014, 21:58
by Ed_P
snake wrote: You can manually install fix by (as a root):

Code: Select all

 wget http://mirrors.slackware.com/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-1_slack14.1.txz
 txz2xzm bash-4.2.*
 activate bash-4.2*xzm
Thanks snake.

Interesting articles guys.

Re: Bash bug

Posted: 25 Sep 2014, 23:54
by Ed_P
Oh oh, didn't work.

Code: Select all

--2014-09-25 19:47:13--  http://mirrors.slackware.com/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-1_slack14.1.txz
Resolving mirrors.slackware.com (mirrors.slackware.com)... 207.223.116.213
Connecting to mirrors.slackware.com (mirrors.slackware.com)|207.223.116.213|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-09-25 19:47:14 ERROR 404: Not Found.
=update=

File needs to be bash-4.2.048-x86_64-2_slack14.1.txz not bash-4.2.048-x86_64-1_slack14.1.txz. It can be found here also: ftp://ftp.slackware.com/pub/slackware/s ... /packages/

Re: Bash bug

Posted: 26 Sep 2014, 08:08
by snake
Ed_P wrote:Oh oh, didn't work.

Code: Select all

--2014-09-25 19:47:13--  http://mirrors.slackware.com/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-1_slack14.1.txz
Resolving mirrors.slackware.com (mirrors.slackware.com)... 207.223.116.213
Connecting to mirrors.slackware.com (mirrors.slackware.com)|207.223.116.213|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-09-25 19:47:14 ERROR 404: Not Found.
=update=

File needs to be bash-4.2.048-x86_64-2_slack14.1.txz not bash-4.2.048-x86_64-1_slack14.1.txz. It can be found here also: ftp://ftp.slackware.com/pub/slackware/s ... /packages/
Yes, the first update link that was available ( and I sent) was not fully fixing the issue therefore now removed. Correct one is that http://mirrors.slackware.com/slackware/ ... ck14.1.txz

Re: Bash bug

Posted: 26 Sep 2014, 08:42
by snake
francois wrote:@snake:
So I can conclude that if I am using bash only for internal manipulations, that is that I stay within my linux box, there is no threat? :)
Well maybe yes, however I suggest to update bash as it might be possible to do nasty tricks with this one. For example:
https://www.trustedsec.com/september-20 ... f-concept/ where DHCP server gives bad code to clients that happily run given script as a root. For example, if your router with dhcpd is compromised, it can give nasty scripts to all the machines asking for local network address from them. Many of routers, wlan accesspoints, "smart" tv:s has nowdays linux and some kind of webserver as frontend so that might be even bigger issue for those (mainly because those are updated rarely or there is no update available at all anymore). There is a nice discussion of other possible threads in https://news.ycombinator.com/item?id=8369443 comments. In practice it is related to anything that uses scripts and bash for doing things. Especially those scripts that run as root, and there are several of those in Linux and OSX devices. I don't know details if this works with other *sh:s.

Re: Bash bug

Posted: 26 Sep 2014, 14:41
by brokenman
Thanks snake. This is quite a low level core vulnerability and the attack vectors are very wide. Just another damn good reason why people shouldn't run as root.

Re: Bash bug

Posted: 30 Sep 2014, 15:31
by ElectriQT
Hi Brokenman,
when will it be possible to do an USM-update?


And, Thank you Snake.

Re: Bash bug

Posted: 30 Sep 2014, 16:57
by brokenman
I haven't done much on USM since the beginning of this month. Been busy with next release. You can now update the database to get this patch if you wish.

Code: Select all

usm -u slackwarepatches
usm -g bash

Re: Bash bug

Posted: 03 Oct 2014, 12:29
by neko
For 32 bit, version 3.0.1
001-core.xzm was updated to 001-core2.xzm.

http://www.mediafire.com/download/kcp5z ... -core2.xzm
md5sum: 13cb1f8dec29da0839bfcefe61908fd2 001-core2.xzm

'bash', the content of 001-core.xzm, was updated to fix the "Shellshock" problem.

Please refer
http://www.thegeekstuff.com/2014/09/bas ... 2014-7169/

Re: Bash bug

Posted: 04 Oct 2014, 13:36
by bour59
@neko
hello, with your module I get the error:
/bin/bash missing share library libtinfo.so.5
@brokenman
all's ok with creating the corrective with usm