BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>

[Barkin]

@Barkin,

I actually prefer the more complicated test used by cimarron. The date function has to be executed to produce that new text, and a file created as a result. With the simple test you used I would worry that a mix-up in quoting gave me a false assurance that a vulnerable system was safe.

[michaellowe]

Hello everyone, firstly thankyou to @cimarron and @Geoffrey for your help, very much appreciated! I thought the least I could do was let everyone know who was concerned or for anyone reading this in the near future that the patch described in the subject of this post seems to have passed the test and the

"no such file or directory"

response was returned in the terminal as opposed to the date etc. so I am very happy with the result. apart from that yes I agree the media can get a bit hyped when it comes to such things, probably because half the idiots have big mouths with very small brains and don't actually understand what is at stake. please see screen shot for noobs sake.

[michaellowe]

@Kester,

You can also save yourself some tricky typing by simply highlighting the test command in your browser, directly from this web page, and then doing a "middle-click" in your console window. This will copy highlighted text without needing a cut-and-paste.

who would have thought??!!! Thank you Prehistoric for suggesting this. Now don't get me wrong I like typing and I'm keyboardcentric so I love hotkeys and keyboard shortcuts etc. but sometimes when executing complicated scripts like the bash up to date test comes one is pressed for time this neat little trick that you have shared with us mere mortal noobs is so appreciated. do you know how long I trawled the internet for this? google was useless! this did not come close in the search! so I thank you again for sharing the knowledge! brilliant! I got the impression from one forum that if you are running a gnome desktop the copy and paste function does not work in the terminal and I tried it many moons ago, it doesn't.
saving time is always appreciated, thanks!

[michaellowe]

I have considered removing Puppy Precise 5.7.1 from my dual boot (XP Pro) system by booting up my XP installation disc, opening the 'Repair' option and running 'fixmbr'. I would then return to using live discs for Puppy but perhaps there is no need to take such a drastic step - it's a question of lack of confidence caused by a lack of knowledge on my part. I'm more confident with Windows XP because I know it better but like Puppy very much and decided on dual booting for security reasons when Microsoft support for XP finished - I though I use Puppy for the bulk of my internet activity, so this Bash issue is a little ironic.

@Kester you could simply run as Spot whenever you want to browse the internet and then su privileges are removed making you less vulnerable if you were still worried about web pages being served from insecure webservers.

Please any of you puppy masters feel free to correct me if I am wrong.

[James C]

As I posted above, to check if the new (second) fix is working, paste this line into the terminal:

Code: Select all

cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

If your system is vulnerable, the time and date information will be output on the screen (and a file called /tmp/echo will be created):

Code: Select all

bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Fri Sep 26 11:49:58 GMT 2014

If your system is not vulnerable, you will see output similar to:

Code: Select all

bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
date
cat: /tmp/echo: No such file or directory

I just updated an old Mepis 11 install...... based on Debian Squeeze. Results>

Code: Select all

james@mepis1:~$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory

[dogle]

Application of dejan555's
http://meownplanet.net/dejan/dpup487/pk ... pup487.pet
to Puppy 4.3.1 produces the desired change in the result of cimarron's test.

Many thanks, folks.

[headfound]

dejan555's latest bash fixes the problem in precise 5.6.1
thankyou

[Geoffrey]

N̶e̶w̶ ̶u̶p̶d̶a̶t̶e̶ ̶p̶a̶t̶c̶h̶ ̶0̶2̶7̶,̶ ̶c̶o̶m̶p̶i̶l̶e̶d̶ ̶i̶n̶ ̶C̶a̶r̶o̶l̶i̶n̶a̶.̶
New update patch 030, compiled in Carolina.

bash-4.3.30-1.pet

bash_DOC-4.3.30-1.pet

bash_NLS-4.3.30-1.pet

[watchdog]

New update patch 027, compiled in Carolina.
<CUT>
Frisbee appears to be working with this version

Good job. Tested working for puppy 4.3.1, slacko 5.3.3, lucid 5.28, wary 5.3, precise 5.7.1, slacko 5.7. It passes cimarron's test. Tested frisbee in precise and slacko: it's working with the new bash patch. Thanks.

[Kester]

@michaellowe

Thanks for your post. I tried to log in with Spot but got the following:

# su --login spot
su: unrecognized option '--login'
BusyBox v1.21.0 (2013-02-18 15:57:06 WST) multi-call binary.

Usage: su [OPTIONS] [-] [USER]

Run shell under USER (by default, root)

-,-l Clear environment, run shell as login shell
-p,-m Do not set new $HOME, $SHELL, $USER, $LOGNAME
-c CMD Command to pass to 'sh -c'
-s SH Shell to use instead of user's default

#

Any further advice would be appreciated thanks.

Regards, Kester.

[prehistoric]

@Kester,

You probably don't want to tackle this problem alone, there have been extensive technical discussions in the past, and some puppy derivatives run browsers as "spot" by default. Right now I'm running this on Fatdog 630-631, a 64-bit variant which runs all Internet programs as "spot". This sometimes creates some new problems in changing file ownership when you use your "root" login to copy files elsewhere, but often the error messages don't mean anything serious. The system is taking the right corrective action.

Forum member rcrsn51 has long advocated making a "safe browser" icon on the desktop linked to this code:

Code: Select all

#!/bin/sh
su -l -c "PATH=$PATH LANG=$LANG DISPLAY=$DISPLAY defaultbrowser" spot

I've been too lazy to experiment much myself, letting others do this work, and I don't know the exact pupplet you are running. This limits my ability to give you exact instructions.

I've attached Barry's documentation file from Precise, which I had to compress to get this forum software to accept. Extract the file with pupzip and you can read it with any browser.

[slavvo67]

For those of you that used Dejan's patch, it might not have handled the 2nd issue (See James C.' post) with the following test:

cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

Please be sure to check against this, as well as the original. For me, Geoffrey's pets did the trick. I'm running OV Precise Retro 5.8

Kind regards,

Slavvo67

[dejan555]

EDIT: See this post for latest version(s)

[starhawk]

Installed bash 4.2.x *.txz for Slackware. NOT A FIX FOR X-SLACKO 2.1 -- it will break your savefile.

I've asked my local guru, user jbruchon (who has posted very little here), to come up with a working version for me. We'll see...

jbruchon did not come up with a fix yet, but rg66 did -- anyone running X-Slacko 2.1 should head over to that thread and install the *.PET for the fix...

Wait... *is* there anyone else using X-Slacko 2.1...?

[rolf]

Here is bash 3.0.18 for wary/racy 5.5 that also passes the

Code: Select all

cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

test.

That worked on my Puppy 4.31 a couple of days ago.

As has been conjectured from the beginning, it seems there are further vulnerabilities discovered and a patch published.

On my webserver:

Code: Select all

# foo='() { echo not patched; }' bash -c foo
not patched

[Leon]

New update patch 027, compiled in Carolina.

Code: Select all

# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory
#

bash-4.3.27-1.pet
bash_DOC-4.3.27-1.pet
bash_NLS-4.3.27-1.pet

Frisbee appears to be working with this version

Installed and tested successfully in Dpup Wheezy 3.5.2.8.

Thanks, Geoffrey.

[rolf]

New update patch 027, compiled in Carolina.

Code: Select all

# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory
#

bash-4.3.27-1.pet
bash_DOC-4.3.27-1.pet
bash_NLS-4.3.27-1.pet

Frisbee appears to be working with this version

Installed and tested successfully in Dpup Wheezy 3.5.2.8.

Thanks, Geoffrey.

Code: Select all

foo='() { echo not patched; }' bash -c foo

What does that return?

See: http://lcamtuf.blogspot.co.nz/2014/09/b ... h-now.html

[Leon]

Code: Select all

foo='() { echo not patched; }' bash -c foo

What does that return?

See: http://lcamtuf.blogspot.co.nz/2014/09/b ... h-now.html

Code: Select all

foo='() { echo not patched; }' bash -c foo
bash: foo: command not found

It seems patched.

[rolf]

Code: Select all

foo='() { echo not patched; }' bash -c foo
bash: foo: command not found

It seems patched.

Good. I get that on my ROSA 2012 computer but not on my Puppy 431.

[mavrothal]

As has been conjectured from the beginning, it seems there are further vulnerabilities discovered and a patch published.

On my webserver:

Code: Select all

# foo='() { echo not patched; }' bash -c foo
not patched

Just compiled bash-3.0.20.pet and is working properly (till the next vulnerability is discovered )

Edit: uploaded version 3.0.20