"Shell Shock" Cure for all pre-October 2014 Pups

[mikeslr]

September 27, 2014 edited

Edit: October 7, 2014: As far as I can tell, there are now for all Pups pets available which plug the Shell Shock bug; Get them here: http://murga-linux.com/puppy/viewtopic. ... 075#801075

Hi All,

If your Puppy was published (made available) before September 26, 2014, it is vulnerable to the "Shell Shock" Bug. This is NOT just a Puppy vulnerability. All operating systems are compromised That bug potentially can enable an intruder to gain access to all your data, and take total control of your computer. Unless your router was also manufactured after that date, its firewall may also be compromised by the Shell Shock Bug.
For the full story, and to apply an easy cure for the bug, read thru the short thread starting here: http://murga-linux.com/puppy/viewtopic. ... 578#800578.

Short synopsis and comments:

Bash is one of software's building blocks. It is used in almost everything: your router, your operating system -- whether you're running Windows. Mac or Linux-- probably your android appliances and i-Stuff. The vulnerability has been around for about 25 years: it seems someone left a back door "for testing purposes" open. About three days ago, the discovery of that vulnerability was announced. The Linux world has quickly responded. Red Hat was the first to devise a solution, and being open source, announced it. Thank you Red Hat. Patches now exist, I believe, for all versions of Puppy, based on the work done by Ubuntu, Slackware, and in a couple of instances relating to T2 Built Pups our own Devs, Geoffrey, dejan555, and anikin. Thanks, Guys.

The patches are not a complete solution to the bug. So keep your eyes open for that.

Since your router may be compromised, be sure to turn on the firewall of your operating system.
Windows has yet to respond. And whether it will respond with a "bug-fix" for XP, or any version prior to Windows 7 is questionable. Also questionable is whether any such fix will work under Wine. See, http://wiki.winehq.org/SecuringWine. Wine has shrugged off any real concern for security because most Linux distros do not let you automatically run applications as "root" --think Administrator in the Windows' world. Puppy does. So until matters are clarified, I recommend being cautious about running windows programs under wine. Several years ago, wine was almost an essential component of any Linux OS, because Linux applications were not as far advanced as those available under XP. That is not the case today. Unless you're running specialized business programs, there is only one or two areas I know of in which you won't find some application as good as, and often better than, windows programs purchased by consumers. Taxes. As yet, there is only one LInux software to prepare your US or State taxes. [See, http://opentaxsolver.sourceforge.net/, which I haven't tried]. TurboTax, TaxAct and H&R Block's installable versions won't run under Wine, anyway, and its seems that changes last year preclude the use of online versions.
I don't play games, so perhaps there are games which will run under wine whose equivalents can't be found under Linux. But if you must use Wine, might I suggest that you setup a separate Puppy just for those things you can't live without. I doubt it will use up more than a couple of Gbs of your hard-drive, even with shinobar's "uncompressed" wine-portable. Or install that Pup to a USB-Key.

mikesLR

[mikeb]

Bash used on windows?
It was mentioned this was a bug that affects servers.
The test for it seemed a little obtuse...how exactly does that make anything vulnerable in itself with regard to a PC user on the internet?
confused
mike

[Ray MK]

Confused 2 -
does this mean that all the luvly puppies that have been made over the last 5,6,7 or so years are useless and should be sent to the knackers yard in the sky?
Please help me/us to understand - is this a back door?
Are we safe?

Could we make a new “shell shock

[Geoffrey]

If your a billion dollar company running a web server on your free puppy linux distro, then it would be wise to update bash.

https://www.youtube.com/watch?v=ArEOVHQu9nk

Else it's not that important, but if it can be fixed why not fix it

[mikeb]

Sorry...I just have this annoying habit of trying to keep things in proportion.

An update to slip in of course...stuff that goes on all the time.

I thought those places were for horses...where do unwanted, unsafe worn out pups really go....ah yes we keep on using them

mike

[solo]

So what does this mean? Are the main iso's that people will download just to try out Puppy Linux still be vonurable, or are they going to be remastered with a patched BASH version?

I mean people will go to a site like puppylinux.org, where they will read that there's this great Linux distro which has -long term support-, and right now they will download a Puppy iso from 2013, with the Shellshock vonurability, and the only way for them to get that fixed is if they have the good sense and awareness to visit sites like this one and read up on matters.

I don't believe that kind of responsibility should be expected from first time users.

[rokytnji]

So what does this mean? Are the main iso's that people will download just to try out Puppy Linux still be vonurable, or are they going to be remastered with a patched BASH version?

I mean people will go to a site like puppylinux.org, where they will read that there's this great Linux distro which has -long term support-, and right now they will download a Puppy iso from 2013, with the Shellshock vonurability, and the only way for them to get that fixed is if they have the good sense and awareness to visit sites like this one and read up on matters.

I don't believe that kind of responsibility should be expected from first time users.

What downloadable iso that you know of comes with a Patched bash?
Even Apple just released their fix recently.
I am kinda missing the point here.

But I have always been a slow study type of Linux user.
I don't get gist of the bitch?

[solo]

I'm sorry if my message came off as 'bitchy'. And hey shit, perhaps it was. So, you know, sorry.

Truth be told, I was actually pretty impressed how some people here were 'on the ball' so to speak, and were producing patched bash versions in pet format for various puppy distros real quickly.

[rcrsn51]

Would someone please explain to me how this vulnerability affects a Puppy CLIENT machine in ANY way?

No generalizations please - specific examples.

The greater long-term risk to Puppy is that bash changes the way it handles exported functions. This would affect just about every gtkdialog app in Puppy.

[James C]

What is #shellshock?


https://shellshocker.net/


For informational purposes only.

Shellshock (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277) is a vulnerability in GNU's bash shell that gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in since Sun Sep 28 2014: 1:11AM EST (See patch history), you're most definitely vulnerable and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD.

You can use this website to test if your system is vulnerable, and also learn how to patch the vulnerability so you are no longer at risk for attack.

[James C]

From Symantec.

http://www.symantec.com/connect/blogs/s ... nerability

The most likely route of attack is through Web servers utilizing CGI (Common Gateway Interface), the widely-used system for generating dynamic Web content. An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses Bash to interpret the variable, it will also run any malicious command tacked-on to it.

Aside from Web servers, other vulnerable devices include Linux-based routers that have a Web interface that uses CGI. In the same manner as an attack against a Web server, it may be possible to use CGI to exploit the vulnerability and send a malicious command to the router.

For consumers
Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available.

[rcrsn51]

So there is ZERO need for a Puppy user to patch his/her version of bash. Unless, as Geoffrey said above, they are running a server exposed to the world.

Since my router has a decent password on it, I cannot see how this bug makes it any less secure.

[Sylvander]

1. Having installed bash-4.3.27-1.pet...

2. I tried testing my system [Slacko-5.7.0-pae] at the site linked in the post above by james C.
i.e. https://shellshocker.net/

3. My system was invulnerable to exploits 1, 2 & 3, and vulnerable to exploits 4 & 5.

Hey-ho, rcrsn51 says it's irrelevant anyway.

[James C]

Why let any little thing like facts interfere with a good crisis?

Bold emphasis mine...

The most likely route of attack is through Web servers utilizing CGI (Common Gateway Interface), the widely-used system for generating dynamic Web content. An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses Bash to interpret the variable, it will also run any malicious command tacked-on to it.

Aside from Web servers, other vulnerable devices include Linux-based routers that have a Web interface that uses CGI. In the same manner as an attack against a Web server, it may be possible to use CGI to exploit the vulnerability and send a malicious command to the router.

http://www.symantec.com/connect/blogs/s ... nerability

Symantec is a fairly well-respected entity in computer security.

[rcrsn51]

Exactly. Instead testing to see if the bash bug makes you vulnerable to YOURSELF, you should try attacking some other device on your network that runs a web server, like a wireless printer.

[jamesbond]

So there is ZERO need for a Puppy user to patch his/her version of bash. Unless, as Geoffrey said above, they are running a server exposed to the world.

Since my router has a decent password on it, I cannot see how this bug makes it any less secure.

Good point. See https://access.redhat.com/articles/1200223, the "Common Configuration examples" section. The only thing which is probably vulnerable is CUPS - assuming that the CUPS webserver is open for everybody for attack. For some others who do remoting a lot, SSH may be a vector. The other likely problem is "dhclient", but puppies don't use dhclient, they use "dhcpcd" instead. I wonder whether dhcpcd has similar env issues like dhclient.

Exactly. Instead testing to see if the bash bug makes you vulnerable to YOURSELF, you should try attacking some other device on your network that runs a web server, like a wireless printer.

Did you read about a guy who made this Canon printer plays Doom (no, I'm not joking - he actually compromised the printer's firmware and upload Doom game to it )

[watchdog]

I think the real point is that you can't trust the whole internet (how many unpatched linux servers are there?) for serious tasks such as home-banking and e-commerce. I use internet to play but I fear to use it for serious tasks even business e-mails. I stopped using debit cards on internet after many frauds. I trust my online bank only beacause I hope they are more scrupolous than me in ai security measures. I patch my puppy but the problem is out there.

[rcrsn51]

The Dynamic Host Configuration Protocol Client (dhclient) is used to automatically obtain network configuration information via DHCP. This client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the client machine.

If you are getting your IP address from a malicious DHCP server, you probably have bigger problems than shellshock.

[jamesbond]

The Dynamic Host Configuration Protocol Client (dhclient) is used to automatically obtain network configuration information via DHCP. This client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the client machine.

If you are getting your IP address from a malicious DHCP server, you probably have bigger problems than shellshock.

Sometimes you don't have control over which DHCP server you use (e.g. when you use free wifi from McDonalds or the like). If they are infected, then they can get to your laptop to. At the end of the day, like everything in life, the risks depend one your lifestyle

[rcrsn51]

Sometimes you don't have control over which DHCP server you use (e.g. when you use free wifi from McDonalds or the like). If they are infected, then they can get to your laptop to.

True. But is there any evidence that updating your own bash would protect you? A more likely scenario is that they would give you an IP address on a malicious network that would try to harvest your personal information.