(OLD) (ARCHIVED) Puppy Linux Discussion Forum Forum Index (OLD) (ARCHIVED) Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info

This forum can also be accessed as http://oldforum.puppylinux.com
It is now read-only and serves only as archives.

Please register over the NEW forum
https://forum.puppylinux.com
and continue your work there. Thank you.

 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups    
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sun 20 Sep 2020, 22:19
All times are UTC - 4
 Forum index » Off-Topic Area » Security
BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies. View previous topic :: View next topic
Page 7 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13 Next
Author Message
prehistoric


Joined: 23 Oct 2007
Posts: 1748

PostPosted: Mon 29 Sep 2014, 10:46    Post subject:  

@Kester,

You probably don't want to tackle this problem alone, there have been extensive technical discussions in the past, and some puppy derivatives run browsers as "spot" by default. Right now I'm running this on Fatdog 630-631, a 64-bit variant which runs all Internet programs as "spot". This sometimes creates some new problems in changing file ownership when you use your "root" login to copy files elsewhere, but often the error messages don't mean anything serious. The system is taking the right corrective action.

Forum member rcrsn51 has long advocated making a "safe browser" icon on the desktop linked to this code:

Code:
#!/bin/sh
su -l -c "PATH=$PATH LANG=$LANG DISPLAY=$DISPLAY defaultbrowser" spot


I've been too lazy to experiment much myself, letting others do this work, and I don't know the exact pupplet you are running. This limits my ability to give you exact instructions.

I've attached Barry's documentation file from Precise, which I had to compress to get this forum software to accept. Extract the file with pupzip and you can read it with any browser.
spotdoc.bz2
Description  documentation on user "spot" from Precise Puppy.
bz2

 Download 
Filename  spotdoc.bz2 
Filesize  3.28 KB 
Downloaded  220 Time(s) 
Back to top
View user's profile Send private message 
slavvo67

Joined: 12 Oct 2012
Posts: 1625
Location: The other Mr. 305

PostPosted: Mon 29 Sep 2014, 11:36    Post subject:  

For those of you that used Dejan's patch, it might not have handled the 2nd issue (See James C.' post) with the following test:

cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

Please be sure to check against this, as well as the original. For me, Geoffrey's pets did the trick. I'm running OV Precise Retro 5.8

Kind regards,

Slavvo67
Back to top
View user's profile Send private message 
dejan555


Joined: 30 Nov 2008
Posts: 2817
Location: Montenegro

PostPosted: Mon 29 Sep 2014, 12:21    Post subject:  

EDIT: See this post for latest version(s)
_________________
puppy.b0x.me stuff mirrored HERE or HERE

Last edited by dejan555 on Wed 01 Oct 2014, 16:11; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website MSN Messenger 
starhawk

Joined: 22 Nov 2010
Posts: 5056
Location: Everybody knows this is nowhere...

PostPosted: Mon 29 Sep 2014, 12:43    Post subject:  

starhawk wrote:
Installed bash 4.2.x *.txz for Slackware. NOT A FIX FOR X-SLACKO 2.1 -- it will break your savefile.

I've asked my local guru, user jbruchon (who has posted very little here), to come up with a working version for me. We'll see...


jbruchon did not come up with a fix yet, but rg66 did -- anyone running X-Slacko 2.1 should head over to that thread and install the *.PET for the fix...

Wait... *is* there anyone else using X-Slacko 2.1...?

_________________

Back to top
View user's profile Send private message 
rolf

Joined: 28 Dec 2008
Posts: 34

PostPosted: Mon 29 Sep 2014, 12:52    Post subject:  

mavrothal wrote:
Here is bash 3.0.18 for wary/racy 5.5 that also passes the
Code:
cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
test.


That worked on my Puppy 4.31 a couple of days ago.

As has been conjectured from the beginning, it seems there are further vulnerabilities discovered and a patch published.

On my webserver:

Code:
# foo='() { echo not patched; }' bash -c foo
not patched
Back to top
View user's profile Send private message 
Leon

Joined: 22 Jun 2005
Posts: 268

PostPosted: Mon 29 Sep 2014, 14:37    Post subject:  

Geoffrey wrote:
New update patch 027, compiled in Carolina.

Code:
# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory
#

bash-4.3.27-1.pet
bash_DOC-4.3.27-1.pet
bash_NLS-4.3.27-1.pet

Frisbee appears to be working with this version

Installed and tested successfully in Dpup Wheezy 3.5.2.8.

Thanks, Geoffrey.
Back to top
View user's profile Send private message 
rolf

Joined: 28 Dec 2008
Posts: 34

PostPosted: Mon 29 Sep 2014, 14:54    Post subject:  

Leon wrote:
Geoffrey wrote:
New update patch 027, compiled in Carolina.

Code:
# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory
#

bash-4.3.27-1.pet
bash_DOC-4.3.27-1.pet
bash_NLS-4.3.27-1.pet

Frisbee appears to be working with this version

Installed and tested successfully in Dpup Wheezy 3.5.2.8.

Thanks, Geoffrey.


Code:
foo='() { echo not patched; }' bash -c foo


What does that return?

See: http://lcamtuf.blogspot.co.nz/2014/09/bash-bug-apply-unofficial-patch-now.html
Back to top
View user's profile Send private message 
Leon

Joined: 22 Jun 2005
Posts: 268

PostPosted: Mon 29 Sep 2014, 16:06    Post subject:  

rolf wrote:
Code:
foo='() { echo not patched; }' bash -c foo


What does that return?

See: http://lcamtuf.blogspot.co.nz/2014/09/bash-bug-apply-unofficial-patch-now.html

Code:
foo='() { echo not patched; }' bash -c foo
bash: foo: command not found

It seems patched.
Back to top
View user's profile Send private message 
rolf

Joined: 28 Dec 2008
Posts: 34

PostPosted: Mon 29 Sep 2014, 16:22    Post subject:  

Leon wrote:

Code:
foo='() { echo not patched; }' bash -c foo
bash: foo: command not found

It seems patched.


Good. I get that on my ROSA 2012 computer but not on my Puppy 431. Confused
Back to top
View user's profile Send private message 
mavrothal


Joined: 24 Aug 2009
Posts: 3108

PostPosted: Mon 29 Sep 2014, 17:28    Post subject:  

rolf wrote:
As has been conjectured from the beginning, it seems there are further vulnerabilities discovered and a patch published.

On my webserver:

Code:
# foo='() { echo not patched; }' bash -c foo
not patched


Just compiled bash-3.0.20.pet and is working properly Wink (till the next vulnerability is discovered Rolling Eyes )

Edit: uploaded version 3.0.20

_________________
== Here is how to solve your Linux problems fast ==

Last edited by mavrothal on Thu 02 Oct 2014, 02:05; edited 2 times in total
Back to top
View user's profile Send private message 
rolf

Joined: 28 Dec 2008
Posts: 34

PostPosted: Mon 29 Sep 2014, 17:42    Post subject:  

mavrothal wrote:

Just compiled bash-3.0.19.pet and is working properly Wink (till the next vulnerability is discovered Rolling Eyes )


Code:
# bash -version
GNU bash, version 3.00.19(1)-release (i486-pc-linux-gnu)
Copyright (C) 2004 Free Software Foundation, Inc.
# foo='() { echo not patched; }' bash -c foo
bash: foo: command not found


Thanks! Very Happy
Back to top
View user's profile Send private message 
michaellowe


Joined: 17 Dec 2011
Posts: 69
Location: The Garden

PostPosted: Mon 29 Sep 2014, 18:14    Post subject: running as spot  

Kester wrote:
@michaellowe

Thanks for your post. I tried to log in with Spot but got the following:

# su --login spot
su: unrecognized option '--login'
BusyBox v1.21.0 (2013-02-18 15:57:06 WST) multi-call binary.

Usage: su [OPTIONS] [-] [USER]

Run shell under USER (by default, root)

-,-l Clear environment, run shell as login shell
-p,-m Do not set new $HOME, $SHELL, $USER, $LOGNAME
-c CMD Command to pass to 'sh -c'
-s SH Shell to use instead of user's default

#

Any further advice would be appreciated thanks.
Regards, Kester.


@kester sorry I tried to respond earlier today, for some strange reason, even though the forum returned a sent successfully response it obviously hasn't as can't see my response to you. well here it is again for second time round.

please bare in mind that I am running Puppy Precise 5.7.1
this may not work for you exactly as it does for me and Prehistoric has rightly posted a more diplomatic post than I am about to. anyway without any further ado.

You are not required to use the --login option when logging in as spot.
simply type: su spot and hit the return!
if you want to be sure you are indeed spot then simply type:

whoami

and you should get:

spot
#
after this fire up your browser and away you go!
As Prehistoric suggested I'd take a look at that BK Doc to which he has so kindly placed a link to in his most recent post Wink
I was going to read it right now but I need to go sleep before my head hits the keyboard. Wink

_________________
Smash forehead on keyboard to continue.....
well thats at least how some of us deal with ba$h !
Back to top
View user's profile Send private message 
chapchap70

Joined: 18 Nov 2010
Posts: 210
Location: The Island Of Long (NY, USA)

PostPosted: Mon 29 Sep 2014, 23:05    Post subject:  

Code:
# /bin/bash --version
GNU bash, version 4.3.27(1)-release (i686-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.



I installed this pet in Slacko 5.6.0, Precise 5.7.1, Lucid 5.2.8.6, and DPup Wheezy 3.5.2.11. Frisbee works in all of them.

Do Not!! try to install this pet into FatDog. I remember seeing an updated Bash pet for FatDog in one of these threads somewhere.
Back to top
View user's profile Send private message 
perdido


Joined: 09 Dec 2013
Posts: 1601
Location: ¿Altair IV , Just north of Eeyore Junction.?

PostPosted: Mon 29 Sep 2014, 23:53    Post subject:  

mavrothal wrote:
Just compiled bash-3.0.19.pet and is working properly Wink (till the next vulnerability is discovered Rolling Eyes )


Thanks mavrothal!

Installed to puppy 4.12

It does not break frisbee.


.
Back to top
View user's profile Send private message 
neversaynever

Joined: 27 Mar 2014
Posts: 17

PostPosted: Tue 30 Sep 2014, 06:50    Post subject:  

Code:
# bash -version
GNU bash, version 3.00.19(1)-release (i486-pc-linux-gnu)
Copyright (C) 2004 Free Software Foundation, Inc.
# foo='() { echo not patched; }' bash -c foo
bash: foo: command not found

For slacko 5.7 (see 01micko post of 25 sep 2014 in this thread).
Update Manager (Menu>Set up>Updates Manager). Open PPM and search for 'bash' in 'slackware-14.0-patches' repositories. You'll find a new patch bash-4.2.050.
Install it and also the third test will be OK ('bash: foo: command not found').
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 7 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13 Next
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies. View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0968s ][ Queries: 12 (0.0356s) ][ GZIP on ]