Bash bug

[neko]

For 32 bit, version 3.0.1
001-core3.xzm was updated to 001-core4.xzm.

http://www.mediafire.com/download/8goqr ... -core4.xzm
md5sum: 0bcd417e010716db876be750ff6d2889 001-core4.xzm

'bash', the content of 001-core3.xzm, was updated
depending on 32 bit UBUNTU14.04 updating
from the "bash_4.2-2ubuntu2.5_i386" to the "bash_4.2-2ubuntu2.6_i386".

================================================
@Rava
1."is dash working fine for all bash scripts?"
No, there are many issues which were already explained by brokenman.

2."Can it be used for the time being as a complete bash replacement
until the bash shellshock vulnerability issues are solved?"

No, it can not be used as a complete bash replacement.
Because it is too difficult for the "complete bash replacement"
to keep the quality by the short time maintenance.

3."how would one incorporate that?"
001-core.xzm could be replaced, and then be rebooted.

4."are you really running XFCE-v2.0-rc2-i486.iso as your avatar text suggests?"
I updated my avatar profile.

================================================
@donald
results of bashcheck.

[bash of 001-core3.xzm]
Testing /bin/bash ...
GNU bash, version 4.2.25(1)-release (i686-pc-linux-gnu)

Variable function parser pre/suffixed [(), redhat], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)

[bash of 001-core4.xzm]
Testing /home/guest/work/bash/bash_4.2-2ubuntu2.6_i386/bin/bash ...
GNU bash, version 4.2.25(1)-release (i686-pc-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)


Thanks.

[francois]

@donald:
Thanks for the bash tester.

@neko:
Thanks for the new core module. It does pass the test.

[Rava]

@Neko

Thanks for the info.

How do you implement updates newer than bash-4.2.050?
That's the newest txz I found. Me thinks the newer updates have to be merged into the source code and bash needs to be compiled, or am I wrong here?

Cause this is what I get running the newest available slackware patch-level on x86-64:

# bashcheck
Testing /usr/bin/bash ...
GNU bash, version 4.2.50(2)-release (x86_64-slackware-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Found non-exploitable CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)

[neko]

@Rava
Creating 001-core4.xzm was done as following steps.

1.get bash_4.2-2ubuntu2.6_i386.deb from
the updated newest 32 bit UBUNTU14.04 by synaptic.

2.get libtinfo.so.5.9 by USM or other tool.

3.expand bash_4.2-2ubuntu2.6_i386.deb by commands under root privilege.

# ar x bash_4.2-2ubuntu2.6_i386.deb
# mv data.tar.gz bash_4.2-2ubuntu2.6_i386.tgz
# tar -xzf control.tar.gz

4.create "PACKAGE DESCRIPTION:" text.

# echo "bash_4.2-2ubuntu2.6_i386: " > bash_4.2-2ubuntu2.6_i386.txt
# cat control | sed "s/^/bash_4.2-2ubuntu2.6_i386: /g" >> bash_4.2-2ubuntu2.6_i386.txt
# echo "bash_4.2-2ubuntu2.6_i386: " >> bash_4.2-2ubuntu2.6_i386.txt

5.install bash_4.2-2ubuntu2.6_i386.tgz into temporary root.

# mkdir root
# installpkg -root root bash_4.2-2ubuntu2.6_i386.tgz
# cd root/bin
# ln -sf bash sh
# cd ../..
# cd root/usr/bin
# ln -sf ../../bin/bash .
# cd ../../..
# mkdir -p root/lib
# mv libtinfo.so.5.9 root/lib/.
# cd root/lib
# ln -sf libtinfo.so.5.9 libtinfo.so.5
# cd ../..

7.create 001-core4.xzm

# mloop 001-core.xzm
# mkdir new
# cp -a /mnt/loop/* new/.
# uloop
# cp -a root/* new/.
# mksquashfs new 001-core4.xzm -b 256K -comp xz -Xbcj x86

Thanks.

[neko]

@Rava

A sample 64 bit 001-core4.xzm was uploaded.
'sample' means that this 001-core4.xzm was not tested
because I do not have 64 bit PC now.

http://www.mediafire.com/download/faety ... -core4.xzm
md5sum: 61f6704ac7885b2e909775451982b0f4 001-core4.xzm

Thanks.
============================================
bash_4.3-7ubuntu1.5_amd64.deb was gotten from the site
http://pkgs.org/search/bash

libtinfo.so.5.9 was gotten from the ISO
Porteus-FVWM-v3.0.1-x86_64-2.iso

[slack_distros_rock]

@Rava

A sample 64 bit 001-core4.xzm was uploaded.
'sample' means that this 001-core4.xzm was not tested
because I do not have 64 bit PC now.

http://www.mediafire.com/download/faety ... -core4.xzm
md5sum: 61f6704ac7885b2e909775451982b0f4 001-core4.xzm

Thanks.
============================================
bash_4.3-7ubuntu1.5_amd64.deb was gotten from the site
http://pkgs.org/search/bash

libtinfo.so.5.9 was gotten from the ISO
Porteus-FVWM-v3.0.1-x86_64-2.iso

I have a new 3.0.1 KDE4 64 install where I replaced the 001-core with the 001-core4.

Now

Code: Select all

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

gives

Code: Select all

this is a test

while before it gave

Code: Select all

vulnerable

The system works same as before- thanks!

[donald]

@slack_distros_rock

It would be more meaningful to test against all (so far known) vulnerabilities.
Not just one..

[Rava]

It would be more meaningful to test against all (so far known) vulnerabilities.
Not just one..

Is there a script that does just that? I just run the "bashcheck" one... but sadly, it seems not to have any version info in it.

Does "bashcheck" enough to be called "test against all (so far known) vulnerabilities"?
______________________________________________________

slack_distros_rock :
Checking out your 001-core4.xzm soon...
______________________________________________________

How best does one make an comparison of what was changed in a module?
xzm2copy both into separate folders, and then run md5sum on all files but symlinks?
Is there already a script or cli one-liner that does just that?
Or is a different approach than md5sum'em'all better?
______________________________________________________

Strange enough, with my current system, that is 001-core_bash-4.2.050 ... there is a difference in what bashcheck reports.
When I run it as root in XFCe terminal, I get this:

Code: Select all

Found non-exploitable CVE-2014-7186 (redir_stack bug)

but when I run it as normal user in XFCe terminal, I get this:

Code: Select all

Not vulnerable to CVE-2014-7186 (redir_stack bug)

(All the rest of the output is identical)

Any ideas why that differs? Not happy that root, of all users, has a higher vulnerability (even when the script tells me "non-exploitable" than normal user...

And ideas why that could be?

[donald]

@Rava

Is there a script that does just that?

The linked page explains which vulnerabilities are checked by "bashcheck"

..not to have any version info in it.

???

.. there is a difference in what bashcheck reports.

Not on my end, with original slackware patch:

Code: Select all

guest@porteus:~$ ./bashcheck
Testing /usr/bin/bash ...
GNU bash, Version 4.2.50(2)-release (i486-slackware-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)
guest@porteus:~$ su
Passwort: 
root@porteus:~# cd /home/guest
root@porteus:/home/guest# ./bashcheck
Testing /usr/bin/bash ...
GNU bash, Version 4.2.50(2)-release (i486-slackware-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)
root@porteus:/home/guest# 

The updated core4.xzm (by neko btw) was built with packages from ubuntu.....

[slack_distros_rock]

@ donald

@ rava

I used the latest bashcheck and

Code: Select all

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)

neko's 64 bit module is ok

[Rava]

^
Indeed, after restart I got the same result. Just could not post, my power supply went bonkers and I had to shut down the PC...

@neko
Could you please include the newest usm in your (x86-64 & x686) 001-core4.xzm?

Or do you - and all others - also include the usm-3.1.6-noarch-1.xzm module?

[brokenman]

usm-3.1.7 will be out this weekend.

[neko]

@ Rava
usm-latest-0.0-noarch-1 of both 001-core4.xzms will be updated to usm-3.1.7.

Thanks.

@brokenman
Thank you for your good timing post.

[Rava]

^ & ^^

So, sometime end of weekend, or beginning of next week, we will get core5.xzm with newest usm 3.1.7? Yay!

[Ed_P]

I would think the 3.1 001-core.xzm module would include the bash bug fix(s) rather than a separate addon module.