Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 17 Aug 2019, 17:23
All times are UTC - 4
 Forum index » Off-Topic Area » Security
BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>
Post new topic   Reply to topic View previous topic :: View next topic
Page 4 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, 4, 5, 6, ..., 11, 12, 13 Next
Author Message
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Fri 26 Sep 2014, 10:00    Post subject:  

dejan555 wrote:
Updated for dpup487 here

This might work on other pups, not sure with which ones it would be compatible though, you could test with pfix=ram


Works in Upup Raring 3.9.9.2 as well. Thanks.
Back to top
View user's profile Send private message 
keniv

Joined: 06 Oct 2009
Posts: 550
Location: Scotland

PostPosted: Fri 26 Sep 2014, 10:29    Post subject:  

Quote:
Updated for dpup487 here

This might work on other pups, not sure with which ones it would be compatible though, you could test with pfix=ram


Also works with Sulu 002 which is one of the updated versions of Lucid 528.
I did try it first in pfix=ram and I also backed up my save file before I tried it for real.

Thanks,

Ken.
Back to top
View user's profile Send private message 
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Fri 26 Sep 2014, 10:41    Post subject: Everything you need to know about the Shellshock Bash bug  

Everything you need to know about the Shellshock Bash bug

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

Quote:
Remember Heartbleed? If you believe the hype today, Shellshock is in that league and with an equally awesome name albeit bereft of a cool logo (someone in the marketing department of these vulns needs to get on that). But in all seriousness, it does have the potential to be a biggie and as I did with Heartbleed, I wanted to put together something definitive both for me to get to grips with the situation and for others to dissect the hype from the true underlying risk.


Quote:
In all likelihood, we haven’t even begun the fathom the breadth of this vulnerability. Of course there are a lot of comparisons being made to Heartbleed and there are a number of things we learned from that exercise. One is that it took a bit of time to sink in as we realised the extent to which we were dependent on OpenSSL. The other is that it had a very long tail – months after it hit there were still hundreds of thousands of known hosts left vulnerable.

But in one way, the Heartbleed comparison isn’t fair – this is potentially far worse. Heartbleed allowed remote access to small amount of data in the memory of affected machines. Shellshock is enabling remote code injection of arbitrary commands pre-auth which is potentially far more dire.
Back to top
View user's profile Send private message 
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Fri 26 Sep 2014, 10:44    Post subject: Frequently Asked Questions about the Shellshock Bash flaws  

Frequently Asked Questions about the Shellshock Bash flaws

https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about-the-shellshock-bash-flaws/

Quote:
The recent few days have been hectic for everyone who works in the Linux/Unix world. Bash security flaws have rocked the globe leaving people confused, worried, or just frustrated. Now that the storm is over and patches are available for most operating systems, here are the answers to some of the common questions we’ve been asked:
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1746

PostPosted: Fri 26 Sep 2014, 11:17    Post subject:  

mavrothal wrote:
prehistoric wrote:
Instead of waiting for patches to bash itself to be tested, why not simply alter the scripts which call these programs to call a known-good shell which does not allow such exploits in order to have it call the few programs which access the internet directly.?

Bash was a good shell 2 days ago and is today after patching.
There is no way BTW to know that current "good shells" will remain good.
You are actually making my case for me. Switching from, e.g. Bash to Dash, leaves you with a very powerful scripting capability which may be exploited at a later date. Patching bash to eliminate a scripting vulnerability risks breaking scripts used all through Puppy variants. To use a phrase seen elsewhere in the discussion, this process will have "a very long tail".

What I'm trying to say is that launching programs which might, in some way we have not imagined, be fed scripts by a source outside our control with a shell having all the scripting capabilities of full bash is asking for trouble. I'm proposing that only those programs which might be affected by scripts sent over the Internet, like browsers and some email programs, be launched using a shell which never had the extensive scripting and environment manipulation supported by bash. You can't exploit what was never put in in the first place.

Having seen a wide variety of cross-site scripting and code injection attacks, like SQL code injection, I've gone to running browsers as a restricted user, "spot". It would also make sense to launch these browsers with less powerful shell programs. An attack which exploits a vulnerability in bash, or another powerful shell, will then have another level to work through before it can even get to bash. The cost in execution speed will be limited to the number of times we launch programs like browsers, email, etc.

This does not require changing bash throughout the system, and possibly breaking things we had not considered. Such a change can be made without compiling, by changing the way a limited number of programs like browsers are invoked, and will not require extensive testing to see if we broke other scripts.

All new versions should use the latest bash, but there is no need for older systems to undergo extensive alterations.
Back to top
View user's profile Send private message 
sheldonisaac

Joined: 21 Jun 2009
Posts: 845
Location: Philadelphia, PA

PostPosted: Fri 26 Sep 2014, 11:59    Post subject: patches repo?  

01micko wrote:
Slacko "updates manager" should have slacko users covered. It's in the menu under "Set up". Once installed, restart X (equivalent to logout, login). Or reboot if extra paranoid Smile CORRECTION: it doesn't because a puppy package covers bash. HOWEVER, still run "updates manager" as this refreshes the "patches" repo database.

Enable "patches" repo in PPM if not already. Then search "bash". Install (make sure from "patches repo"), restart X.

I've tried, but can't get a "patches repo".
Help, please.
I'm quite inexperienced with Slacko, 5.70

Thank you,
Sheldon

_________________
Dell E6410: Xenial, Dpup Stretch, etc
Dell Mini 9, Acer Aspire One, EeePC 1018P, PowerBook G4
Intel D865GBF, Intel DQ35JOE, Dell Vostro 430
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1874
Location: Italy

PostPosted: Fri 26 Sep 2014, 12:13    Post subject: Re: patches repo?  

sheldonisaac wrote:
01micko wrote:
Slacko "updates manager" should have slacko users covered. It's in the menu under "Set up". Once installed, restart X (equivalent to logout, login). Or reboot if extra paranoid Smile CORRECTION: it doesn't because a puppy package covers bash. HOWEVER, still run "updates manager" as this refreshes the "patches" repo database.

Enable "patches" repo in PPM if not already. Then search "bash". Install (make sure from "patches repo"), restart X.

I've tried, but can't get a "patches repo".
Help, please.
I'm quite inexperienced with Slacko, 5.70

Thank you,
Sheldon


I had already installed the package suggested by jamesbond:

http://www.murga-linux.com/puppy/viewtopic.php?p=800627#800627

In PPM it seems the latest. If you have problems with Updates Manager just download and install it.
Back to top
View user's profile Send private message 
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Fri 26 Sep 2014, 12:23    Post subject:  

.
patches repo.jpg
 Description   
 Filesize   7.35 KB
 Viewed   923 Time(s)

patches repo.jpg

Screenshot_2014-09-26_111630.jpg
 Description   
 Filesize   44.5 KB
 Viewed   924 Time(s)

Screenshot_2014-09-26_111630.jpg

Back to top
View user's profile Send private message 
cimarron


Joined: 30 May 2013
Posts: 293

PostPosted: Fri 26 Sep 2014, 17:03    Post subject:  

Looks like a more complete fix has been released:
New “Shellshock” patch rushed out to resolve gaps in first fix
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762761

Ubuntu-based pups can get new bash packages here:
https://launchpad.net/ubuntu/+source/bash

Redhat provides this new test to see if the more complete fix works:

Quote:
The fix for CVE-2014-7169 ensures that the system is protected from the file creation issue. To test if your version of Bash is vulnerable to CVE-2014-7169, run the following command:

$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Fri Sep 26 11:49:58 GMT 2014

If your system is vulnerable, the time and date information will be output on the screen and a file called /tmp/echo will be created.

If your system is not vulnerable, you will see output similar to:

$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory

The new Precise package seems to work in Precise puppy 5.7.1 (I had to uninstall the first bash fix package before installing the new one).


WARNING: When I installed either the first or second fix, using ubuntu precise packages for my precise 5.7.1 pup, it seems to have broken Frisbee. It connects okay (to preconfigured network) and I can run the manager, but no networks show up in the scan results window, and no interfaces show up in the interfaces tab window. Anyone else have this problem?

When I uninstalled the bash fix (in my frugal install), Frisbee worked fine. (I've put this note in the Frisbee thread as well.)


Update: There's a new version of bash out now that does not break Frisbee. Geoffrey provided it in another thread (and it's been tested in a number of pups):

bash 4.3.27
(does not break Frisbee)

Last edited by cimarron on Mon 29 Sep 2014, 09:34; edited 5 times in total
Back to top
View user's profile Send private message 
mikeslr


Joined: 16 Jun 2008
Posts: 3268
Location: 500 seconds from Sol

PostPosted: Fri 26 Sep 2014, 19:48    Post subject: Shell Shock Bug > dejan555's pet also works in Carolina 1.2  

Hi All,

dejan555's pet, http://www.murga-linux.com/puppy/viewtopic.php?p=800678#800678, also works in Carolina 1.2

Thanks dejan555.

The above was written before I checked the Carolina thread. Geoffrey has also responded to the threat. A Carolina-specific BASH update pet can be obtained thru Carolina's Package Management. It's available here: http://smokey01.com/carolina/pages/recent-repo.html It will probably also work in Racy and Saluki. Thanks Geoffrey.

mikeslr
Back to top
View user's profile Send private message 
Geoffrey


Joined: 30 May 2010
Posts: 2377
Location: Queensland

PostPosted: Fri 26 Sep 2014, 20:11    Post subject:  

Edit: the latest is 030
Compiled the latest patch 026 in Carolina, I used instructions from here, needs modifying to suit as default is installed to /usr/local, change the 25 to the latest patch that's available which at the moment is 26.
Code:
mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
for i in $(seq -f "%03g" 0 25); do wget     http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done
#build and install
./configure && make && make install
cd ..
cd ..
rm -r src


Code:
# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
date
cat: /tmp/echo: No such file or directory


b̶a̶s̶h̶-̶4̶.̶3̶.̶2̶6̶-̶1̶.̶p̶e̶t̶ (REMOVED)

b̶a̶s̶h̶-̶4̶.̶3̶.̶2̶8̶-̶1̶.̶p̶e̶t̶ (REMOVED)

b̶a̶s̶h̶-̶4̶.̶3̶.̶2̶9̶-̶1̶.̶p̶e̶t̶ (REMOVED)

bash-4.3.30-1.pet

b̶a̶s̶h̶_̶D̶O̶C̶-̶4̶.̶3̶.̶2̶6̶-̶1̶.̶p̶e̶t̶ (REMOVED)

b̶a̶s̶h̶_̶D̶O̶C̶-̶4̶.̶3̶.̶2̶8̶-̶1̶.̶p̶e̶t̶ (REMOVED)

b̶a̶s̶h̶_̶D̶O̶C̶-̶4̶.̶3̶.̶2̶9̶-̶1̶.̶p̶e̶t̶ (REMOVED)

bash_DOC-4.3.30-1.pet

b̶a̶s̶h̶_̶N̶L̶S̶-̶4̶.̶3̶.̶2̶6̶-̶1̶.̶p̶e̶t̶ (REMOVED)

b̶a̶s̶h̶_̶N̶L̶S̶-̶4̶.̶3̶.̶2̶8̶-̶1̶.̶p̶e̶t̶ (REMOVED)

b̶a̶s̶h̶_̶N̶L̶S̶-̶4̶.̶3̶.̶2̶9̶-̶1̶.̶p̶e̶t̶ (REMOVED)

bash_NLS-4.3.30-1.pet

_________________
Carolina: Recent Repository Additions


Last edited by Geoffrey on Mon 06 Oct 2014, 01:22; edited 3 times in total
Back to top
View user's profile Send private message 
michaellowe


Joined: 17 Dec 2011
Posts: 69
Location: The Garden

PostPosted: Fri 26 Sep 2014, 20:18    Post subject: https://launchpad.net/~ubuntu-security-proposed/+archive/ubu  

HI everyone It was suggested to me by cimarron to apply this patch found at: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6408041 and so I did but I have an i686 architecture. I applied the patch and rebooted. how will I know if its working? thanks in advance
_________________
Smash forehead on keyboard to continue.....
well thats at least how some of us deal with ba$h !
Back to top
View user's profile Send private message 
Geoffrey


Joined: 30 May 2010
Posts: 2377
Location: Queensland

PostPosted: Fri 26 Sep 2014, 20:31    Post subject:  

@michaellowe

Type
Code:
bash --version
in the terminal, you should see as shown below, which in my case is the Carolina build i686

Code:
GNU bash, version 4.3.26(1)-release (i686-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

_________________
Carolina: Recent Repository Additions

Back to top
View user's profile Send private message 
michaellowe


Joined: 17 Dec 2011
Posts: 69
Location: The Garden

PostPosted: Fri 26 Sep 2014, 21:03    Post subject: Ba$h Version  

@ Geoffrey

please find attached a screen shot of my bash version.
I'm on precise 5.7.1 with kernel 3.9.11



am I good to go? cheers
bash version.png
 Description   
 Filesize   20.22 KB
 Viewed   4230 Time(s)

bash version.png


_________________
Smash forehead on keyboard to continue.....
well thats at least how some of us deal with ba$h !
Back to top
View user's profile Send private message 
cimarron


Joined: 30 May 2013
Posts: 293

PostPosted: Fri 26 Sep 2014, 21:11    Post subject:  

As I posted above, to check if the new (second) fix is working, paste this line into the terminal:
Code:
cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo


If your system is vulnerable, the time and date information will be output on the screen (and a file called /tmp/echo will be created):
Code:
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Fri Sep 26 11:49:58 GMT 2014


If your system is not vulnerable, you will see output similar to:
Code:
date
cat: /tmp/echo: No such file or directory

Last edited by cimarron on Mon 29 Sep 2014, 09:13; edited 2 times in total
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 4 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, 4, 5, 6, ..., 11, 12, 13 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0781s ][ Queries: 13 (0.0139s) ][ GZIP on ]