Page 2 of 4
Re: Bash bug
Posted: 04 Oct 2014, 16:38
by neko
@bour59
I am sorry to miss needed library.
Thank you very much for your report.
================================================
For 32 bit, version 3.0.1
001-core2.xzm was updated to 001-core3.xzm.
http://www.mediafire.com/download/on9s3 ... -core3.xzm
48a70bb126e10f5c472b3feb508a1228 001-core3.xzm
'bash', the content of 001-core.xzm, was updated to fix the "Shellshock" problem.
And the needed library for new bash was included into 001-core3.xzm.
Thanks.
Re: Bash bug
Posted: 04 Oct 2014, 18:16
by bour59
@neko
all's fine now
please what can explain the different size of
001-core.xzm (51298304)
001-core3.xzm (47292407)
thanks
Re: Bash bug
Posted: 04 Oct 2014, 18:48
by fanthom
i was playing with different block sizes for squash and looks like 001-core.xzm from 3.0.1 is compressed with 128k while it should be 256k (our default).
that's why original xzm is bigger.
sorry for that.
Re: Bash bug
Posted: 05 Oct 2014, 04:36
by Ed_P
So is the official fix for this 001-core3.xzm or
brokenman wrote:You can now update the database to get this patch if you wish.
Code: Select all
usm -u slackwarepatches
usm -g bash
Re: Bash bug
Posted: 05 Oct 2014, 13:06
by neko
@bour59
Update to 001-core3.xzm was done as following steps.
1) Separate
The original 001-core.xzm was separated to each packages
depending on the information of /var/log/packages/XXXXs.
2) Update
Then the "bash update" was done.
All /var/log/packages/XXXXs were updated.
3) Merge
Finally each packages were merged into 001-core3 directory,
and 001-core3 was compressed into 001-core3.xzm module.
# mksquashfs 001-core3 001-core3.xzm -b 256K -comp xz -Xbcj x86
Thanks.
=====================================
[ diff -r 001-core 001-core3 ]
Binary files 001-core/bin/bash and 001-core3/bin/bash differ
Only in 001-core3/bin: rbash
Binary files 001-core/bin/sh and 001-core3/bin/sh differ
Only in 001-core3/etc: bash.bashrc
Only in 001-core3/etc/skel: .bash_logout
Only in 001-core3/etc/skel: .bashrc
Only in 001-core3/etc/skel: .profile
Only in 001-core3/lib: libtinfo.so.5
Only in 001-core3/lib: libtinfo.so.5.9
Only in 001-core3/usr/X11/bin: bashbug
Only in 001-core3/usr/X11/bin: clear_console
Only in 001-core/usr/X11/man/man1: bash.1
Only in 001-core3/usr/X11/share: lintian
Only in 001-core3/usr/X11/share: man
Only in 001-core3/usr/X11/share: menu
Only in 001-core3/usr/X11R6/bin: bashbug
Only in 001-core3/usr/X11R6/bin: clear_console
Only in 001-core/usr/X11R6/man/man1: bash.1
Only in 001-core3/usr/X11R6/share: lintian
Only in 001-core3/usr/X11R6/share: man
Only in 001-core3/usr/X11R6/share: menu
Only in 001-core3/usr/bin: bashbug
Only in 001-core3/usr/bin: clear_console
Only in 001-core/usr/man/man1: bash.1
Only in 001-core3/usr/share: lintian
Only in 001-core3/usr/share: man
Only in 001-core3/usr/share: menu
There are many diffs in /var/log/packages/XXXXs.
=====================================
Re: Bash bug
Posted: 08 Oct 2014, 07:15
by Rava
@all
Is ther an updated version for 3.0.1 x86-64 as well? I only read about the 32 bit updated 001-core3.xzm above...
________________________________________
For the 4.2 version, the newest patch is bash42-
053 (according to
http://ftp.gnu.org/gnu/bash/bash-4.2-patches/ ) but usm gives me as newest version only this: bash-4.2.
045-x86_64-1.txz
Is the bash-4.2.
053-x86_64-1.txz still available somewhere?
Strange enough, while gnu.org tells me the 4.2.053 being the newest patch,
http://pkgs.org/download/bash tells me that ALT Linux Sisyphus has bash-3.2.54-alt1.x86_64.rpm. Do they really have 054 patch when gnu.org itself only has 053?
pkgs.org gives me as newest bash bash-4.2.
045-x86_64-1.txz (same as usm) and as newest patch only bash-4.2.
050-x86_64-1_slack14.1.txz ...
After
Code: Select all
root@porteus:/mnt# usm -u slackwarepatches
I only get these as newest version/patches:
Code: Select all
root@porteus:/mnt# usm -s bash
bash-4.2.050-x86_64-1_slack14.1.txz was found in slackwarepatches
bash-4.2.045-x86_64-1.txz was found in slackware
(same as
http://pkgs.org)
Does anyone know a site that incorporates the newest gnu.org patches, as in: currently the 053 patch for 4.2?
Re: Bash bug
Posted: 08 Oct 2014, 13:33
by neko
@Rava
In this month, I can not upload updated 001-core.xzm for 62 bit version 3.0.1.
(Next month I can use 64bit PC.)
The "bash_4.2-2ubuntu2.5_i386" package from 32 bit UBUNTU14.04 was used.
*) Now, I am replacing from bash to dash.
Thanks.
Re: Bash bug
Posted: 08 Oct 2014, 15:46
by Rava
@neko
So, is dash working fine for all bash scripts? Can it be used for the time being as a complete bash replacement until the bash shellshock vulnerability issues are solved?
And how would one incorporate that? Run some uninstaller using the /tmp/core-whatever folder as root, and also using that folder to install or xzm2dir dash?
_________________________
Also, are you really running XFCE-v2.0-rc2-i486.iso as your avatar text suggests? Sounds more like you use XFCE-v3.0.1-i486 to me...
Re: Bash bug
Posted: 08 Oct 2014, 19:23
by brokenman
So, is dash working fine for all bash scripts?
This can not be guaranteed. There are many bashisms in many scripts.
Some of these include the use of $RANDOM, select, let, and source keywords, shell arithmetic, the -e option to echo, the use of "." to search the current directory .... and many other things.
Re: Bash bug
Posted: 08 Oct 2014, 20:23
by Rava
^
At least the -e option of echo could be reproduced when replacing
with
Anyhow, is it recommendable to replace 001's bash with dash? Would all system scripts including all Porteus scripts still work okay?
When I just have to debug/change/whatever my own dozens of scripts, I can live with that... but having a buggy and faulty Porteus is not something I desire...
Re: Bash bug
Posted: 08 Oct 2014, 23:53
by donald
anyone in doubt...test your bash...this script checks against 6 public vulnerabilities.
https://github.com/hannob/bashcheck
Re: Bash bug
Posted: 09 Oct 2014, 00:43
by brokenman
Anyhow, is it recommendable to replace 001's bash with dash?
No (see my above post for reasons).
Your echo -e example is not valid. Check
man echo to see why.
Re: Bash bug
Posted: 10 Oct 2014, 00:07
by Rava
brokenman wrote:Your echo -e example is not valid. Check man echo to see why.
Code: Select all
man echo:
-e enable interpretation of backslash escapes
You confuse me,brokenman...
Re: Bash bug
Posted: 10 Oct 2014, 05:36
by cttan
Hi donald,
The bash check is good.
I just update using
usm -g bash and all is good now as below output.
Code: Select all
root@a10b23c45d67:~# ./bashcheck
Testing /usr/bin/bash ...
GNU bash, version 4.2.50(2)-release (x86_64-slackware-linux-gnu)
Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Found non-exploitable CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)
root@a10b23c45d67:~#
bashcheck script from donald link:-
Code: Select all
#!/bin/bash
warn() {
if [ "$scary" == "1" ]; then
echo -e "\033[91mVulnerable to $1\033[39m"
else
echo -e "\033[93mFound non-exploitable $1\033[39m"
fi
}
good() {
echo -e "\033[92mNot vulnerable to $1\033[39m"
}
tmpdir=`mktemp -d -t tmp.XXXXXXXX`
[ -n "$1" ] && bash=$(which $1) || bash=$(which bash)
echo -e "\033[95mTesting $bash ..."
echo $($bash --version | head -n 1)
echo -e "\033[39m"
#r=`a="() { echo x;}" $bash -c a 2>/dev/null`
if [ -n "$(env 'a'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
echo -e "\033[91mVariable function parser active, maybe vulnerable to unknown parser bugs\033[39m"
scary=1
elif [ -n "$(env 'BASH_FUNC_a%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
echo -e "\033[92mVariable function parser pre/suffixed [%%, upstream], bugs not exploitable\033[39m"
scary=0
elif [ -n "$(env 'BASH_FUNC_a()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
echo -e "\033[92mVariable function parser pre/suffixed [(), redhat], bugs not exploitable\033[39m"
scary=0
elif [ -n "$(env 'BASH_FUNC_<a>%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
echo -e "\033[92mVariable function parser pre/suffixed [<..>%%, apple], bugs not exploitable\033[39m"
scary=0
else
echo -e "\033[92mVariable function parser inactive, bugs not exploitable\033[39m"
scary=0
fi
r=`env x="() { :; }; echo x" $bash -c "" 2>/dev/null`
if [ -n "$r" ]; then
warn "CVE-2014-6271 (original shellshock)"
else
good "CVE-2014-6271 (original shellshock)"
fi
cd $tmpdir
env x='() { function a a>\' $bash -c echo 2>/dev/null > /dev/null
if [ -e echo ]; then
warn "CVE-2014-7169 (taviso bug)"
else
good "CVE-2014-7169 (taviso bug)"
fi
$($bash -c "true $(printf '<<EOF %.0s' {1..80})" 2>$tmpdir/bashcheck.tmp)
ret=$?
grep -q AddressSanitizer $tmpdir/bashcheck.tmp
if [ $? == 0 ] || [ $ret == 139 ]; then
warn "CVE-2014-7186 (redir_stack bug)"
else
good "CVE-2014-7186 (redir_stack bug)"
fi
$bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null
if [ $? != 0 ]; then
warn "CVE-2014-7187 (nested loops off by one)"
else
echo -e "\033[96mTest for CVE-2014-7187 not reliable without address sanitizer\033[39m"
fi
$($bash -c "f(){ x(){ _;};x(){ _;}<<a;}" 2>/dev/null)
if [ $? != 0 ]; then
warn "CVE-2014-6277 (lcamtuf bug #1)"
else
good "CVE-2014-6277 (lcamtuf bug #1)"
fi
if [ -n "$(env x='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
warn "CVE-2014-6278 (lcamtuf bug #2)"
elif [ -n "$(env BASH_FUNC_x%%='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
warn "CVE-2014-6278 (lcamtuf bug #2)"
elif [ -n "$(env 'BASH_FUNC_x()'='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
warn "CVE-2014-6278 (lcamtuf bug #2)"
else
good "CVE-2014-6278 (lcamtuf bug #2)"
fi
rm -rf $tmpdir
Re: Bash bug
Posted: 10 Oct 2014, 09:25
by donald
Hi cttan
Unfortunately slackware has only the bash-patch 50, whereas the newest is 53
which looks much better.
Testing /bin/bash ...
GNU bash, version 4.2.53(2)-release
Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)
also the (patch 53) code seems to be better.I had some bash-segfault-messages with
earlier patches.