BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>
BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>
This problem potentially affect every modern Puppy distro.
FYI <=== See this
Edited: 2014-10-01
3 articles you may want to read as it expresses the problem different to what has been express (misleadingly) in past articles.
What is it "ACTUALLY"?
My modems and routers too! <=== these companies are chip-board suppliers too.
IOS and JunOS <=== reportedly not affected, though.
Solutions
Updates to BASH addressing issues are reported by membership throughout this thread. Download those solutions as provided.
FYI <=== See this
Edited: 2014-10-01
3 articles you may want to read as it expresses the problem different to what has been express (misleadingly) in past articles.
What is it "ACTUALLY"?
My modems and routers too! <=== these companies are chip-board suppliers too.
IOS and JunOS <=== reportedly not affected, though.
Solutions
Updates to BASH addressing issues are reported by membership throughout this thread. Download those solutions as provided.
Last edited by gcmartin on Tue 07 Oct 2014, 06:22, edited 6 times in total.
This is a 30 year old bug and as with heartbleet it affects mostly servers. So no need for major panic.
In any case there are updates available for all major distros so ubuntu, debian and slackware-based puppies are covered.
For T2 puppies (2.x, 4.x, warry, racy) the source code should be patched and recompiled to a new pet. This might get BK (or ttuxxx) out of retirement, though being a "mostly server" bug might not worth it...
Latter: Here is bash-3.0.22 for Wary-/Racy-5.5
Edit: correct slackware link. Added wary/racy link
In any case there are updates available for all major distros so ubuntu, debian and slackware-based puppies are covered.
For T2 puppies (2.x, 4.x, warry, racy) the source code should be patched and recompiled to a new pet. This might get BK (or ttuxxx) out of retirement, though being a "mostly server" bug might not worth it...
Latter: Here is bash-3.0.22 for Wary-/Racy-5.5
Edit: correct slackware link. Added wary/racy link
Last edited by mavrothal on Mon 06 Oct 2014, 05:54, edited 12 times in total.
- MochiMoppel
- Posts: 2084
- Joined: Wed 26 Jan 2011, 09:06
- Location: Japan
but bash is "only" 25 years old ....mavrothal wrote:This is a 30 year old bug
According to Redhat this code supposedly reveals the bug:
Code: Select all
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Code: Select all
vulnerable
this is a test
You are right, bash42-048 is the patched version.MochiMoppel wrote: I tried the bash4.2 included in your linked bash-4.2.045-i486-1.txz patch for Slacko and the code still outputsI'm not in panic, but I'm not relieved eitherCode: Select all
vulnerable this is a test
This is the correct link for slackware bash
== [url=http://www.catb.org/esr/faqs/smart-questions.html]Here is how to solve your[/url] [url=https://www.chiark.greenend.org.uk/~sgtatham/bugs.html]Linux problems fast[/url] ==
- MochiMoppel
- Posts: 2084
- Joined: Wed 26 Jan 2011, 09:06
- Location: Japan
- MochiMoppel
- Posts: 2084
- Joined: Wed 26 Jan 2011, 09:06
- Location: Japan
I do not know which puppy you are using but slacko 5.7/6 have bash 4.1 (which is actually from slackware 13.37). The official slackware 14.1 version (that slacko 5.7/6 is based on) is 4.2. 4.3 is for the next slackware version.MochiMoppel wrote:bash 42?mavrothal wrote:You are right, bash42-048 is the patched version.
From your new link I tried bash-4.3.025-i486-1.txz. This works. Thanks!
Should not make a lot of difference but given the heavy dependency of puppy in bash I wouldn't be surprise if some issue arrises with a different version.
== [url=http://www.catb.org/esr/faqs/smart-questions.html]Here is how to solve your[/url] [url=https://www.chiark.greenend.org.uk/~sgtatham/bugs.html]Linux problems fast[/url] ==
I think all major version of bash is mostly compatible (4.1 and 4.2 and 4.3; 3.1 and 3.2, etc). That being said, you can get updated bash 4.2 for slackware, for example, here: http://mirrors.slackware.com/slackware/ ... ck14.1.txz.
The vulnerability is *NOT* as big as Heartbleed, because most people don't use bash as a "server"
The vulnerability is *NOT* as big as Heartbleed, because most people don't use bash as a "server"
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]
I try this in Upup3992 and nothing happens. Is that good?MochiMoppel wrote: this code supposedly reveals the bug::Code: Select all
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
EDIT : Ok I get it - you have to enter this code in a terminal, not make a bash script out of it...
Upup does seem to have the fault (bash 4.1)
Last edited by greengeek on Thu 25 Sep 2014, 10:05, edited 1 time in total.
Make sure you typed everything correctly including the space between ")" and "{" and space between "{" and ":".greengeek wrote:I try this in Upup3992 and nothing happens. Is that good?MochiMoppel wrote: this code supposedly reveals the bug::Code: Select all
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]
Slacko "updates manager" should have slacko users covered. It's in the menu under "Set up". Once installed, restart X (equivalent to logout, login). Or reboot if extra paranoid CORRECTION: it doesn't because a puppy package covers bash. HOWEVER, still run "updates manager" as this refreshes the "patches" repo database.
Enable "patches" repo in PPM if not already. Then search "bash". Install (make sure from "patches repo"), restart X.
Enable "patches" repo in PPM if not already. Then search "bash". Install (make sure from "patches repo"), restart X.
Code: Select all
# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Puppy Linux Blog - contact me for access
As of this moment not available in "updates manager' but is showing in "patches" repo.01micko wrote:Slacko "updates manager" should have slacko users covered. It's in the menu under "Set up". Once installed, restart X (equivalent to logout, login). Or reboot if extra paranoid
I that fails, enable "patches" repo in PPM. Then search "bash". Install, restart X.
Code: Select all
# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
Required updating ppm database before pkg would download.
Installed
Good to see fast security fixes.
Code: Select all
# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
#
Code: Select all
# bash --version
GNU bash, version 4.2.48(2)-release (i486-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
#
___________http://www.infoq.com/news/2014/09/bash-remote-exploit wrote:There's still vulnerability:
UPDATE 25 September: There is still a vulnerability (CVE-2014-7169) even after the above patches have been applied. Thanks to focus in this area, many people are looking at the code and/or fuzzing it to try and find out what else is possible. This was reported on Twitter by Tavis Ormandy and the proof of concept allows remote overwriting of files owned by that process:
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Thu 25 Sep 2014 08:33:10 BST
Chet Ramy, the maintainer of Bash, has acknowledged the issue and provided a work-in-progress patch, but it has not been officially released on the Bash website. System adminstrators should consider the currently fixed Bash version to still be vulnerable. When an official patch is provided this post will be updated.
@Mick: Dunno why, but Slackware's bash packages render HOME/END keys unusable in terminal (urxvt, LXTerminal, VTE).
The same happened with bash compiled by myself.
A workaround is to append this to /etc/inputrc:
Code: Select all
"\e[1~": beginning-of-line # Home Key
"\e[4~": end-of-line # End Key
[color=red][size=75][O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource[/size][/color]
[b][color=green]Omnia mea mecum porto.[/color][/b]
[b][color=green]Omnia mea mecum porto.[/color][/b]
Tahr 5.8.3 rc1 will update to
Code: Select all
# bash --version
GNU bash, version 4.3.11(1)-release (i686-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
#
Code: Select all
# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
#
In DebianDog, the following 2 commands got me "good" bash: Pre-udate: Post-update:
Code: Select all
apt-get update
apt-get install bash
Code: Select all
root@debian:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
root@debian:~#
Code: Select all
root@debian:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
root@debian:~#