Bash bug

[Ed_P]

Any one interested in this news article?

New 'Bash' software bug may pose bigger threat than 'Heartbleed'

http://news.yahoo.com/bash-software-bug ... 20708.html

[dacq]

For the time being you could try the zsh shell, which has been kept up to date & has improvements over bash:
http://zsh.sourceforge.net/

[snake]

Yep, that bug works on Porteus too, so if you are using Porteus as webserver, sshd server, etc. fix it right now.

Test with:

Code: Select all

 env x='() { :;}; echo vulnerable' bash -c 'echo hello'

Fix:
http://mirrors.slackware.com/slackware/ ... ck14.1.txz

BTW, I tried to install it with usm, however did not succeed.

Code: Select all

usm -s bash

show slackwarepatch repository:

Code: Select all

bash-4.2.045-x86_64-1.txz was found in slackware
bash-4.2.048-x86_64-1_slack14.1.txz was found in slackwarepatches
Packages found:   2 

However with get

Code: Select all

usm -g bash

show only the first one and not patch repository. My USM should be latest 3.1.6. with recent -u all. Do you get same problem?

You can manually install fix by (as a root):

Code: Select all

 wget http://mirrors.slackware.com/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-1_slack14.1.txz
 txz2xzm bash-4.2.*
 activate bash-4.2*xzm

[dacq]

Or there is fish, pre-compiled for various distros & also works for Mac:
http://fishshell.com/

[snake]

Worth reading:
http://www.troyhunt.com/2014/09/everyth ... about.html

[francois]

@snake:
So I can conclude that if I am using bash only for internal manipulations, that is that I stay within my linux box, there is no threat?

[Ed_P]

You can manually install fix by (as a root):

Code: Select all

 wget http://mirrors.slackware.com/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-1_slack14.1.txz
 txz2xzm bash-4.2.*
 activate bash-4.2*xzm

Thanks snake.

Interesting articles guys.

[Ed_P]

Oh oh, didn't work.

Code: Select all

--2014-09-25 19:47:13--  http://mirrors.slackware.com/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-1_slack14.1.txz
Resolving mirrors.slackware.com (mirrors.slackware.com)... 207.223.116.213
Connecting to mirrors.slackware.com (mirrors.slackware.com)|207.223.116.213|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-09-25 19:47:14 ERROR 404: Not Found.

=update=

File needs to be bash-4.2.048-x86_64-2_slack14.1.txz not bash-4.2.048-x86_64-1_slack14.1.txz. It can be found here also: ftp://ftp.slackware.com/pub/slackware/s ... /packages/

[snake]

Oh oh, didn't work.

Code: Select all

--2014-09-25 19:47:13--  http://mirrors.slackware.com/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-1_slack14.1.txz
Resolving mirrors.slackware.com (mirrors.slackware.com)... 207.223.116.213
Connecting to mirrors.slackware.com (mirrors.slackware.com)|207.223.116.213|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-09-25 19:47:14 ERROR 404: Not Found.

=update=

File needs to be bash-4.2.048-x86_64-2_slack14.1.txz not bash-4.2.048-x86_64-1_slack14.1.txz. It can be found here also: ftp://ftp.slackware.com/pub/slackware/s ... /packages/

Yes, the first update link that was available ( and I sent) was not fully fixing the issue therefore now removed. Correct one is that http://mirrors.slackware.com/slackware/ ... ck14.1.txz

[snake]

@snake:
So I can conclude that if I am using bash only for internal manipulations, that is that I stay within my linux box, there is no threat?

Well maybe yes, however I suggest to update bash as it might be possible to do nasty tricks with this one. For example:
https://www.trustedsec.com/september-20 ... f-concept/ where DHCP server gives bad code to clients that happily run given script as a root. For example, if your router with dhcpd is compromised, it can give nasty scripts to all the machines asking for local network address from them. Many of routers, wlan accesspoints, "smart" tv:s has nowdays linux and some kind of webserver as frontend so that might be even bigger issue for those (mainly because those are updated rarely or there is no update available at all anymore). There is a nice discussion of other possible threads in https://news.ycombinator.com/item?id=8369443 comments. In practice it is related to anything that uses scripts and bash for doing things. Especially those scripts that run as root, and there are several of those in Linux and OSX devices. I don't know details if this works with other *sh:s.

[brokenman]

Thanks snake. This is quite a low level core vulnerability and the attack vectors are very wide. Just another damn good reason why people shouldn't run as root.

[ElectriQT]

Hi Brokenman,
when will it be possible to do an USM-update?


And, Thank you Snake.

[brokenman]

I haven't done much on USM since the beginning of this month. Been busy with next release. You can now update the database to get this patch if you wish.

Code: Select all

usm -u slackwarepatches
usm -g bash

[neko]

For 32 bit, version 3.0.1
001-core.xzm was updated to 001-core2.xzm.

http://www.mediafire.com/download/kcp5z ... -core2.xzm
md5sum: 13cb1f8dec29da0839bfcefe61908fd2 001-core2.xzm

'bash', the content of 001-core.xzm, was updated to fix the "Shellshock" problem.

Please refer
http://www.thegeekstuff.com/2014/09/bas ... 2014-7169/

[bour59]

@neko
hello, with your module I get the error:
/bin/bash missing share library libtinfo.so.5
@brokenman
all's ok with creating the corrective with usm