Page 2 of 4

Re: Bash bug

Posted: 04 Oct 2014, 16:38
by neko
@bour59
I am sorry to miss needed library.
Thank you very much for your report.

================================================

For 32 bit, version 3.0.1
001-core2.xzm was updated to 001-core3.xzm.

http://www.mediafire.com/download/on9s3 ... -core3.xzm
48a70bb126e10f5c472b3feb508a1228 001-core3.xzm

'bash', the content of 001-core.xzm, was updated to fix the "Shellshock" problem.
And the needed library for new bash was included into 001-core3.xzm.

Thanks.

Re: Bash bug

Posted: 04 Oct 2014, 18:16
by bour59
@neko
all's fine now
please what can explain the different size of
001-core.xzm (51298304)
001-core3.xzm (47292407)
thanks

Re: Bash bug

Posted: 04 Oct 2014, 18:48
by fanthom
i was playing with different block sizes for squash and looks like 001-core.xzm from 3.0.1 is compressed with 128k while it should be 256k (our default).
that's why original xzm is bigger.

sorry for that.

Re: Bash bug

Posted: 05 Oct 2014, 04:36
by Ed_P
So is the official fix for this 001-core3.xzm or
brokenman wrote:You can now update the database to get this patch if you wish.

Code: Select all

usm -u slackwarepatches
usm -g bash

Re: Bash bug

Posted: 05 Oct 2014, 13:06
by neko
@bour59

Update to 001-core3.xzm was done as following steps.

1) Separate
The original 001-core.xzm was separated to each packages
depending on the information of /var/log/packages/XXXXs.

2) Update
Then the "bash update" was done.
All /var/log/packages/XXXXs were updated.

3) Merge
Finally each packages were merged into 001-core3 directory,
and 001-core3 was compressed into 001-core3.xzm module.

# mksquashfs 001-core3 001-core3.xzm -b 256K -comp xz -Xbcj x86

Thanks.
=====================================
[ diff -r 001-core 001-core3 ]

Binary files 001-core/bin/bash and 001-core3/bin/bash differ
Only in 001-core3/bin: rbash
Binary files 001-core/bin/sh and 001-core3/bin/sh differ
Only in 001-core3/etc: bash.bashrc
Only in 001-core3/etc/skel: .bash_logout
Only in 001-core3/etc/skel: .bashrc
Only in 001-core3/etc/skel: .profile
Only in 001-core3/lib: libtinfo.so.5
Only in 001-core3/lib: libtinfo.so.5.9
Only in 001-core3/usr/X11/bin: bashbug
Only in 001-core3/usr/X11/bin: clear_console
Only in 001-core/usr/X11/man/man1: bash.1
Only in 001-core3/usr/X11/share: lintian
Only in 001-core3/usr/X11/share: man
Only in 001-core3/usr/X11/share: menu
Only in 001-core3/usr/X11R6/bin: bashbug
Only in 001-core3/usr/X11R6/bin: clear_console
Only in 001-core/usr/X11R6/man/man1: bash.1
Only in 001-core3/usr/X11R6/share: lintian
Only in 001-core3/usr/X11R6/share: man
Only in 001-core3/usr/X11R6/share: menu
Only in 001-core3/usr/bin: bashbug
Only in 001-core3/usr/bin: clear_console
Only in 001-core/usr/man/man1: bash.1
Only in 001-core3/usr/share: lintian
Only in 001-core3/usr/share: man
Only in 001-core3/usr/share: menu

There are many diffs in /var/log/packages/XXXXs.
=====================================

Re: Bash bug

Posted: 08 Oct 2014, 07:15
by Rava
@all
Is ther an updated version for 3.0.1 x86-64 as well? I only read about the 32 bit updated 001-core3.xzm above...

________________________________________

For the 4.2 version, the newest patch is bash42-053 (according to http://ftp.gnu.org/gnu/bash/bash-4.2-patches/ ) but usm gives me as newest version only this: bash-4.2.045-x86_64-1.txz

Is the bash-4.2.053-x86_64-1.txz still available somewhere?

Strange enough, while gnu.org tells me the 4.2.053 being the newest patch, http://pkgs.org/download/bash tells me that ALT Linux Sisyphus has bash-3.2.54-alt1.x86_64.rpm. Do they really have 054 patch when gnu.org itself only has 053?

pkgs.org gives me as newest bash bash-4.2.045-x86_64-1.txz (same as usm) and as newest patch only bash-4.2.050-x86_64-1_slack14.1.txz ...

After

Code: Select all

root@porteus:/mnt# usm -u slackwarepatches
I only get these as newest version/patches:

Code: Select all

root@porteus:/mnt# usm -s bash

bash-4.2.050-x86_64-1_slack14.1.txz was found in slackwarepatches
bash-4.2.045-x86_64-1.txz was found in slackware
(same as http://pkgs.org)

Does anyone know a site that incorporates the newest gnu.org patches, as in: currently the 053 patch for 4.2?

Re: Bash bug

Posted: 08 Oct 2014, 13:33
by neko
@Rava
In this month, I can not upload updated 001-core.xzm for 62 bit version 3.0.1.
(Next month I can use 64bit PC.)

The "bash_4.2-2ubuntu2.5_i386" package from 32 bit UBUNTU14.04 was used.

*) Now, I am replacing from bash to dash.

Thanks.

Re: Bash bug

Posted: 08 Oct 2014, 15:46
by Rava
@neko
So, is dash working fine for all bash scripts? Can it be used for the time being as a complete bash replacement until the bash shellshock vulnerability issues are solved?

And how would one incorporate that? Run some uninstaller using the /tmp/core-whatever folder as root, and also using that folder to install or xzm2dir dash?
_________________________

Also, are you really running XFCE-v2.0-rc2-i486.iso as your avatar text suggests? Sounds more like you use XFCE-v3.0.1-i486 to me...

Re: Bash bug

Posted: 08 Oct 2014, 19:23
by brokenman
So, is dash working fine for all bash scripts?
This can not be guaranteed. There are many bashisms in many scripts.

Some of these include the use of $RANDOM, select, let, and source keywords, shell arithmetic, the -e option to echo, the use of "." to search the current directory .... and many other things.

Re: Bash bug

Posted: 08 Oct 2014, 20:23
by Rava
^
At least the -e option of echo could be reproduced when replacing

Code: Select all

echo -e bla
with

Code: Select all

/bin/echo -e blubb
:D

Anyhow, is it recommendable to replace 001's bash with dash? Would all system scripts including all Porteus scripts still work okay?
When I just have to debug/change/whatever my own dozens of scripts, I can live with that... but having a buggy and faulty Porteus is not something I desire...

Re: Bash bug

Posted: 08 Oct 2014, 23:53
by donald
anyone in doubt...test your bash...this script checks against 6 public vulnerabilities.
https://github.com/hannob/bashcheck

Re: Bash bug

Posted: 09 Oct 2014, 00:43
by brokenman
Anyhow, is it recommendable to replace 001's bash with dash?
No (see my above post for reasons).

Your echo -e example is not valid. Check man echo to see why.

Re: Bash bug

Posted: 10 Oct 2014, 00:07
by Rava
brokenman wrote:Your echo -e example is not valid. Check man echo to see why.

Code: Select all

man echo:

-e     enable interpretation of backslash escapes
You confuse me,brokenman...

Re: Bash bug

Posted: 10 Oct 2014, 05:36
by cttan
Hi donald,

The bash check is good.

I just update using usm -g bash and all is good now as below output.

Code: Select all

root@a10b23c45d67:~# ./bashcheck 
Testing /usr/bin/bash ...
GNU bash, version 4.2.50(2)-release (x86_64-slackware-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Found non-exploitable CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)
root@a10b23c45d67:~#
bashcheck script from donald link:-

Code: Select all

#!/bin/bash

warn() {
	if [ "$scary" == "1" ]; then
		echo -e "\033[91mVulnerable to $1\033[39m"
	else
		echo -e "\033[93mFound non-exploitable $1\033[39m"
	fi
}

good() {
	echo -e "\033[92mNot vulnerable to $1\033[39m"
}

tmpdir=`mktemp -d -t tmp.XXXXXXXX`

[ -n "$1" ] && bash=$(which $1) || bash=$(which bash)
echo -e "\033[95mTesting $bash ..."
echo $($bash --version | head -n 1)
echo -e "\033[39m"

#r=`a="() { echo x;}" $bash -c a 2>/dev/null`
if [ -n "$(env 'a'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[91mVariable function parser active, maybe vulnerable to unknown parser bugs\033[39m"
	scary=1
elif [ -n "$(env 'BASH_FUNC_a%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [%%, upstream], bugs not exploitable\033[39m"
	scary=0
elif [ -n "$(env 'BASH_FUNC_a()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [(), redhat], bugs not exploitable\033[39m"
	scary=0
elif [ -n "$(env 'BASH_FUNC_<a>%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [<..>%%, apple], bugs not exploitable\033[39m"
	scary=0
else
	echo -e "\033[92mVariable function parser inactive, bugs not exploitable\033[39m"
	scary=0
fi


r=`env x="() { :; }; echo x" $bash -c "" 2>/dev/null`
if [ -n "$r" ]; then
	warn "CVE-2014-6271 (original shellshock)"
else
	good "CVE-2014-6271 (original shellshock)"
fi

cd $tmpdir
env x='() { function a a>\' $bash -c echo 2>/dev/null > /dev/null
if [ -e echo ]; then
	warn "CVE-2014-7169 (taviso bug)"
else
	good "CVE-2014-7169 (taviso bug)"
fi

$($bash -c "true $(printf '<<EOF %.0s' {1..80})" 2>$tmpdir/bashcheck.tmp)
ret=$?
grep -q AddressSanitizer $tmpdir/bashcheck.tmp
if [ $? == 0 ] || [ $ret == 139 ]; then
	warn "CVE-2014-7186 (redir_stack bug)"
else
	good "CVE-2014-7186 (redir_stack bug)"
fi


$bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null
if [ $? != 0 ]; then
	warn "CVE-2014-7187 (nested loops off by one)"
else
	echo -e "\033[96mTest for CVE-2014-7187 not reliable without address sanitizer\033[39m"
fi

$($bash -c "f(){ x(){ _;};x(){ _;}<<a;}" 2>/dev/null)
if [ $? != 0 ]; then
	warn "CVE-2014-6277 (lcamtuf bug #1)"
else
	good "CVE-2014-6277 (lcamtuf bug #1)"
fi

if [ -n "$(env x='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
	warn "CVE-2014-6278 (lcamtuf bug #2)"
elif [ -n "$(env BASH_FUNC_x%%='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
	warn "CVE-2014-6278 (lcamtuf bug #2)"
elif [ -n "$(env 'BASH_FUNC_x()'='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
	warn "CVE-2014-6278 (lcamtuf bug #2)"
else
	good "CVE-2014-6278 (lcamtuf bug #2)"
fi

rm -rf $tmpdir

Re: Bash bug

Posted: 10 Oct 2014, 09:25
by donald
Hi cttan
Unfortunately slackware has only the bash-patch 50, whereas the newest is 53
which looks much better.

Testing /bin/bash ...
GNU bash, version 4.2.53(2)-release

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)

also the (patch 53) code seems to be better.I had some bash-segfault-messages with
earlier patches. :(