Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 20 Nov 2019, 03:25
All times are UTC - 4
 Forum index » Off-Topic Area » Security
BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>
Post new topic   Reply to topic View previous topic :: View next topic
Page 11 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, ..., 9, 10, 11, 12, 13 Next
Author Message
rg66


Joined: 23 Jul 2012
Posts: 1160
Location: Vancouver, BC Canada / Entebbe, Uganda Africa!?!

PostPosted: Sat 04 Oct 2014, 00:50    Post subject:  

Batch Patcher command line has been updated to v1.1. Double click (or single depending on desktop settings) to run in terminal.

http://murga-linux.com/puppy/viewtopic.php?p=801875#801875
bash_patcher.png
 Description   
 Filesize   38.78 KB
 Viewed   1881 Time(s)

bash_patcher.png


_________________
X-slacko-5b1 - X-tahr-2.0 - X-precise-2.4
X-series repo
Back to top
View user's profile Send private message 
rolf

Joined: 28 Dec 2008
Posts: 34

PostPosted: Sat 04 Oct 2014, 08:32    Post subject:  

I've got a small, mostly unattended web server running on Puppy 4.31 on a thin client. I can temporarily connect a monitor and install the patched bash by clicking on them and running pet-get in the gui. It would be more convenient if I could install the pet from CLI in an ssh session, possibly incorporating the Batch Patcher in this process.

As far as I've seen looking around google is that it can be done; there are scripts that seem to extract the pet and run a script within, but, iianm, some aspects of the Puppy package management system are lost when going this route.

Is there CLI package management for Puppy 4.31 that takes care of package/file tracking, upgrading, removing, etc. features that are provided by the gui package manager?
Thanks.
Back to top
View user's profile Send private message 
sc0ttman


Joined: 16 Sep 2009
Posts: 2744
Location: UK

PostPosted: Sat 04 Oct 2014, 13:12    Post subject:  

rolf wrote:

Is there CLI package management for Puppy 4.31 that takes care of package/file tracking, upgrading, removing, etc. features that are provided by the gui package manager?
Thanks.


There is 'Pkg' - my package manager in Akita and Puppy Arcade.. It has a very extensive CLI interface, the only thing that would need changing is how it reads and writes to repo files.. Or maybe you could steal some functions from it... It's in the Akita thread..

_________________
Pkg, mdsh, Woofy, Akita, VLC-GTK, Search
Back to top
View user's profile Send private message 
Leon

Joined: 22 Jun 2005
Posts: 265

PostPosted: Sat 04 Oct 2014, 14:10    Post subject:  

rg66 wrote:
Batch Patcher command line has been updated to v1.1.

bash_patcher_cli-1.1.gz

Works like a charm.

Thank you, rg66.
Back to top
View user's profile Send private message 
rolf

Joined: 28 Dec 2008
Posts: 34

PostPosted: Sat 04 Oct 2014, 18:33    Post subject:  

sc0ttman wrote:
There is 'Pkg' - my package manager in Akita and Puppy Arcade.. It has a very extensive CLI interface, the only thing that would need changing is how it reads and writes to repo files.. Or maybe you could steal some functions from it... It's in the Akita thread..


Yes. I tried 0.9.5 but it got stuck in a loop about the missing repo files. 0.9.0 gives me the
Code:
Usage: pkg [OPTION(S)]
info, at least, and I'll try it when I get another pet that needs installing.
Thanks.

p.s. I found that, after uninstalling the series of patched bash from this thread with ppm, I was left with the old, vulnerable binary. That gave me a chance to try pkg and it seemed to work:

Code:
# pkg -i patched_bash/bash-3.0.21-i486.pet
cat: /root/.packages/alienpackages.txt: No such file or directory
cat: /root/.packages/livepackages5a.txt: No such file or directory
Install the package: bash-3.0.21-i486?  (y/n): 
ycat: /root/.packages/livepackages5a.txt: No such file or directory

cat: /root/.packages/livepackages5a.txt: No such file or directory
cat: /root/.packages/alienpackages.txt: No such file or directory
cat: /root/.packages/livepackages5a.txt: No such file or directory
Package 'bash-3.0.21-i486' installed.
# y
-sh: y: command not found
# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
101  2533  101  2533    0     0    658      0  0:00:03  0:00:03 --:--:--   680
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
# bash -version
GNU bash, version 3.00.21(1)-release (i486-pc-linux-gnu�)
Copyright (C) 2004 Free Software Foundation, Inc.
Back to top
View user's profile Send private message 
rolf

Joined: 28 Dec 2008
Posts: 34

PostPosted: Sat 04 Oct 2014, 18:53    Post subject:  

rg66 wrote:
Batch Patcher command line has been updated to v1.1.


I got this script and devx_431.sfs on my Puppy 4.3.1

With
  • cpu MHz : 300.632
    and
  • MemTotal: 250352 kB

it took a little while but it worked, run from ssh cli. Cool

The binary it produced is a little smaller than the one from mavrothal's 3.0.21 pet, which I'll stay with.

Code:
# ls bash-3.0.21/bin -l
total 631
-rwxr-xr-x 1 root root 641708 2014-10-04 12:04 bash
# ls `which bash` -l
-rwxr-xr-x 1 root root 660100 2014-10-03 07:28 /bin/bash


Thanks.
Back to top
View user's profile Send private message 
Geoffrey


Joined: 30 May 2010
Posts: 2377
Location: Queensland

PostPosted: Mon 06 Oct 2014, 01:25    Post subject:  

Bash updated to version 4.3.30
http://www.murga-linux.com/puppy/viewtopic.php?p=801669#801669

_________________
Carolina: Recent Repository Additions

Back to top
View user's profile Send private message 
mavrothal


Joined: 24 Aug 2009
Posts: 3084

PostPosted: Mon 06 Oct 2014, 01:53    Post subject:  

Bash-3.0.22.
Passes all tests.

Keep in mind that although older versions may not be vulnerable to given exploits, newer versions have better solutions for the given problems (till the next version of course... Rolling Eyes )

_________________
== Here is how to solve your Linux problems fast ==
Back to top
View user's profile Send private message 
6502coder


Joined: 23 Mar 2009
Posts: 649
Location: Western United States

PostPosted: Mon 06 Oct 2014, 02:01    Post subject:  

@mathroval
Thanks! You must feel like a Puppy chasing his own tail... Smile
Back to top
View user's profile Send private message 
dejan555


Joined: 30 Nov 2008
Posts: 2816
Location: Montenegro

PostPosted: Mon 06 Oct 2014, 12:39    Post subject:  

Mirrored, added and updated links to latest bash pets here:
http://www.murga-linux.com/puppy/viewtopic.php?p=801075#801075

_________________
puppy.b0x.me stuff mirrored HERE or HERE
Back to top
View user's profile Send private message Visit poster's website MSN Messenger 
rolf

Joined: 28 Dec 2008
Posts: 34

PostPosted: Mon 06 Oct 2014, 13:05    Post subject:  

Thanks, mathroval
Back to top
View user's profile Send private message 
OscarTalks


Joined: 05 Feb 2012
Posts: 2030
Location: London, England

PostPosted: Mon 06 Oct 2014, 16:13    Post subject:  

The 4.3 version is probably fine in Dpup Wheezy but in case anyone wants to stick with the 4.2 I have uploaded
bash-4.2.53-wheezy.pet (binary only).
Also bash-4.2.53-slacko14.0. pet (binary only, compiled in Slacko 5.7)
http://smokey01.com/OscarTalks

_________________
Oscar in England

Back to top
View user's profile Send private message 
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Wed 08 Oct 2014, 01:22    Post subject:  

Partial Shellshock fix for Lighthouse64.....

Newest Slackware bash for Slackware 14.0 x86-64 from
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.559646

Updated package for Slackware x86_64 14.0:

ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bash-4.2.050-x86_64-1_slack14.0.txz


Code:
bash-4.2# bash --version
GNU bash, version 4.2.50(2)-release (x86_64-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
<root> ~
bash-4.2#





Code:
bash-4.2# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2533  100  2533    0     0   5692      0 --:--:-- --:--:-- --:--:--  6665
CVE-2014-6271 (original shellshock): not vulnerable
bash: line 16: 31327 Segmentation fault      bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
<root> ~   



I assume there will be further updates.
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 2087
Location: N.E. USA

PostPosted: Wed 08 Oct 2014, 22:15    Post subject: slacko5.7 and 5.5XL  

patch 4.3.30-1 passes all tests "not vunerable" using slacko 5.7 derivitive with 3.4.82 (non-pae) kernal. I don't use frisbee for wifi cnxn... can't report on that.

edit:
Also patched as above on slacko 5.5XL kernal 3.2.33-4g.

_________________
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1747

PostPosted: Fri 10 Oct 2014, 08:41    Post subject:  

There seems to be confusion concerning version and build numbers. Here's what I'm running successful tests with on Fatdog 630-631 and Fatdog 700 b1, all 64-bit versions.
Code:
# bash --version
GNU bash, version 4.2.52(2)-release (x86_64-unknown-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
#
Here is the corresponding test result.
Code:
#  curl --insecure https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2533  100  2533    0     0   6406      0 --:--:-- --:--:-- --:--:--  7538
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
#

Added: this update is not from a .pet file. Fatdog 700 has switched to gslapt/slaptget package manager. Because the other files have not changed at all I was able to upgrade my older installation by simply copying /bin/bash from 700 b1 to /bin of 630-631. This was listed as release 5 of the x86_64 bit version of bash 4.2 in gslapt/slaptget. or bash-4.2-x86_64-5.txz .

With the exception of the version number these instructions from JamesBond should still apply.

Code:
1. Get bash-4.2-x86_64-3.txz from 700 repo.
2. mkdir /tmp/xxx
3. cd /tmp/xxx
4. tar -xf /path/to/downloaded/bash-4.2-x86_64-3.txz
5. try to run ./bin/bash --version (version should be 4.2.49)
6. if this is good then cp ./bin/bash /bin


This should do until we stop getting new changes and copying things from a beta release.

Last edited by prehistoric on Fri 10 Oct 2014, 18:51; edited 2 times in total
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 11 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, ..., 9, 10, 11, 12, 13 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0974s ][ Queries: 12 (0.0313s) ][ GZIP on ]