Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 18 Sep 2019, 22:07
All times are UTC - 4
 Forum index » Off-Topic Area » Security
BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>
Post new topic   Reply to topic View previous topic :: View next topic
Page 2 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, 4, ..., 11, 12, 13 Next
Author Message
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Thu 25 Sep 2014, 06:58    Post subject:  

Installed

Code:
# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
#


Good to see fast security fixes.
Back to top
View user's profile Send private message 
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Thu 25 Sep 2014, 07:02    Post subject:  

Code:
# bash --version
GNU bash, version 4.2.48(2)-release (i486-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
#
Back to top
View user's profile Send private message 
SFR


Joined: 26 Oct 2011
Posts: 1731

PostPosted: Thu 25 Sep 2014, 07:05    Post subject:  

http://www.infoq.com/news/2014/09/bash-remote-exploit wrote:
There's still vulnerability:
UPDATE 25 September: There is still a vulnerability (CVE-2014-7169) even after the above patches have been applied. Thanks to focus in this area, many people are looking at the code and/or fuzzing it to try and find out what else is possible. This was reported on Twitter by Tavis Ormandy and the proof of concept allows remote overwriting of files owned by that process:

$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Thu 25 Sep 2014 08:33:10 BST
Chet Ramy, the maintainer of Bash, has acknowledged the issue and provided a work-in-progress patch, but it has not been officially released on the Bash website. System adminstrators should consider the currently fixed Bash version to still be vulnerable. When an official patch is provided this post will be updated.

___________

@Mick: Dunno why, but Slackware's bash packages render HOME/END keys unusable in terminal (urxvt, LXTerminal, VTE).
The same happened with bash compiled by myself.
A workaround is to append this to /etc/inputrc:
Code:
"\e[1~": beginning-of-line      # Home Key
"\e[4~": end-of-line            # End Key

Greetings!

_________________
[O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource
Omnia mea mecum porto.
Back to top
View user's profile Send private message 
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Thu 25 Sep 2014, 07:25    Post subject:  

Tahr 5.8.3 rc1 will update to

Code:
# bash --version
GNU bash, version 4.3.11(1)-release (i686-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
#




Code:
# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
#
Back to top
View user's profile Send private message 
anikin

Joined: 10 May 2012
Posts: 1020

PostPosted: Thu 25 Sep 2014, 09:37    Post subject:  

In DebianDog, the following 2 commands got me "good" bash:
Code:
apt-get update
apt-get install bash
Pre-udate:
Code:
root@debian:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
root@debian:~#
Post-update:
Code:
root@debian:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
root@debian:~#
Back to top
View user's profile Send private message 
Dingo


Joined: 11 Dec 2007
Posts: 1439
Location: somewhere at the end of rainbow...

PostPosted: Thu 25 Sep 2014, 10:24    Post subject:  

I just patched the bash 4.3 sources against latest available patch ( but we need a further patch as far as I understand) and compiled for Puppy 3.01, but I'm not sure it is safe to replace the bash 3.00.16 built-in in Puppy 3.01 with bash 4
_________________
replace .co.cc with .info to get access to stuff I posted in forum
dropbox 2GB free
OpenOffice for Puppy Linux
Back to top
View user's profile Send private message Visit poster's website 
bark_bark_bark

Joined: 05 Jun 2012
Posts: 1935
Location: Wisconsin USA

PostPosted: Thu 25 Sep 2014, 11:40    Post subject:  

Is there an updated version of bash for LxTahr 14.09 yet?
_________________
....
Back to top
View user's profile Send private message 
dejan555


Joined: 30 Nov 2008
Posts: 2807
Location: Montenegro

PostPosted: Thu 25 Sep 2014, 12:26    Post subject:  

EDIT: See this post for latest version(s)
_________________
puppy.b0x.me stuff mirrored HERE or HERE

Last edited by dejan555 on Wed 01 Oct 2014, 16:09; edited 2 times in total
Back to top
View user's profile Send private message Visit poster's website MSN Messenger 
Jasper

Joined: 25 Apr 2010
Posts: 1350
Location: England

PostPosted: Thu 25 Sep 2014, 12:45    Post subject:  

Hi dejan555,

Works with Precise 5.6, thank you.

My regards
Back to top
View user's profile Send private message 
slavvo67

Joined: 12 Oct 2012
Posts: 1601
Location: The other Mr. 305

PostPosted: Thu 25 Sep 2014, 12:56    Post subject:  

Dejan's patch also works on OV Precise 5.8. Thanks Dejan!
Back to top
View user's profile Send private message 
anikin

Joined: 10 May 2012
Posts: 1020

PostPosted: Thu 25 Sep 2014, 13:07    Post subject:  

For all Ubuntu based puppies (lucid, precise, raring, saucy, trusty, utopic) bash is available here:
http://packages.ubuntu.com/trusty/i386/bash/download
http://security.ubuntu.com/ubuntu/pool/main/b/bash/bash_4.3-7ubuntu1.1_i386.deb
This one is for trusty, select your release on the top of the page.
Back to top
View user's profile Send private message 
Sky Aisling


Joined: 27 Jun 2009
Posts: 1269
Location: Port Townsend, WA. USA

PostPosted: Thu 25 Sep 2014, 13:48    Post subject: BASH exposure expressed as bigger than Heartbleed.
Subject description: If I Use Console in Everyday Use, Am I Exposed to Bug?
 

So help me, the non-geek, to understand if this effects me.

If I use a bash terminal will I be venerable to this bug?
For example: I often do a 'dmesg' command through the console.

jamesbond writes:

Quote:
The vulnerability is *NOT* as big as Heartbleed, because most people don't use bash as a "server" Smile
Back to top
View user's profile Send private message 
anikin

Joined: 10 May 2012
Posts: 1020

PostPosted: Thu 25 Sep 2014, 16:55    Post subject:  

Quote:
Ubuntu and other Debian-derived systems that use Dash exclusively are not at risk – Dash isn't vulnerable, but busted versions of Bash may well be present on the systems anyway. It's essential you check the shell interpreters you're using, and any Bash packages you have installed, and patch if necessary
==>http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
Back to top
View user's profile Send private message 
slavvo67

Joined: 12 Oct 2012
Posts: 1601
Location: The other Mr. 305

PostPosted: Thu 25 Sep 2014, 17:25    Post subject:  

OK, so at least the patch is there, though maybe not the perfect fix. Now, does anyone know if the patch any negative effect on bash or its scripts?
Back to top
View user's profile Send private message 
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Thu 25 Sep 2014, 17:51    Post subject:  

Some more info...

http://www.pcworld.com/article/2687857/bigger-than-heartbleed-shellshock-flaw-leaves-os-x-linux-more-open-to-attack.html#tk.nl_today

Quote:
When it gets down to brass tacks, most major websites and modern gadgets you own likely won't be affected by this Bash vulnerability, and Apple will no doubt patch the OS X implementation quickly. (Here's a highly technical DIY fix for now.)

It's impossible to know just how far this flaw reaches, and it's likely to linger on in neglected websites, older routers, and some legacy Internet of Things devices—many of which are impossible to patch—providing an opening for determined hackers to sneak into those systems.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 2 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, 4, ..., 11, 12, 13 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0701s ][ Queries: 13 (0.0171s) ][ GZIP on ]