BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>

For discussions about security.
Post Reply
Message
Author
gcmartin

BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>

#1 Post by gcmartin »

This problem potentially affect every modern Puppy distro.
FYI <=== See this

Edited: 2014-10-01
3 articles you may want to read as it expresses the problem different to what has been express (misleadingly) in past articles.
What is it "ACTUALLY"?
My modems and routers too!
<=== these companies are chip-board suppliers too.
IOS and JunOS <=== reportedly not affected, though.

Solutions
Updates to BASH addressing issues are reported by membership throughout this thread. Download those solutions as provided.
Last edited by gcmartin on Tue 07 Oct 2014, 06:22, edited 6 times in total.

slavvo67
Posts: 1610
Joined: Sat 13 Oct 2012, 02:07
Location: The other Mr. 305

#2 Post by slavvo67 »

YIKES! Do we know if anyone in Puppyland is working on patching things?

This is very bad!

User avatar
mavrothal
Posts: 3096
Joined: Mon 24 Aug 2009, 18:23

#3 Post by mavrothal »

This is a 30 year old bug and as with heartbleet it affects mostly servers. So no need for major panic. 8)

In any case there are updates available for all major distros so ubuntu, debian and slackware-based puppies are covered.

For T2 puppies (2.x, 4.x, warry, racy) the source code should be patched and recompiled to a new pet. This might get BK (or ttuxxx) out of retirement, though being a "mostly server" bug might not worth it... :P
Latter: Here is bash-3.0.22 for Wary-/Racy-5.5

Edit: correct slackware link. Added wary/racy link
Last edited by mavrothal on Mon 06 Oct 2014, 05:54, edited 12 times in total.

User avatar
MochiMoppel
Posts: 2084
Joined: Wed 26 Jan 2011, 09:06
Location: Japan

#4 Post by MochiMoppel »

mavrothal wrote:This is a 30 year old bug
:?: but bash is "only" 25 years old ....

According to Redhat this code supposedly reveals the bug:

Code: Select all

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
I tried the bash4.2 included in your linked bash-4.2.045-i486-1.txz patch for Slacko and the code still outputs

Code: Select all

 vulnerable
 this is a test
I'm not in panic, but I'm not relieved either :cry:

User avatar
mavrothal
Posts: 3096
Joined: Mon 24 Aug 2009, 18:23

#5 Post by mavrothal »

MochiMoppel wrote: I tried the bash4.2 included in your linked bash-4.2.045-i486-1.txz patch for Slacko and the code still outputs

Code: Select all

 vulnerable
 this is a test
I'm not in panic, but I'm not relieved either :cry:
You are right, bash42-048 is the patched version.
This is the correct link for slackware bash
== [url=http://www.catb.org/esr/faqs/smart-questions.html]Here is how to solve your[/url] [url=https://www.chiark.greenend.org.uk/~sgtatham/bugs.html]Linux problems fast[/url] ==

User avatar
MochiMoppel
Posts: 2084
Joined: Wed 26 Jan 2011, 09:06
Location: Japan

#6 Post by MochiMoppel »

<double post>








----
Last edited by MochiMoppel on Thu 25 Sep 2014, 06:26, edited 2 times in total.

User avatar
MochiMoppel
Posts: 2084
Joined: Wed 26 Jan 2011, 09:06
Location: Japan

#7 Post by MochiMoppel »

mavrothal wrote:You are right, bash42-048 is the patched version.
bash 42?
From your new link I tried bash-4.3.025-i486-1.txz. This works. Thanks!

User avatar
mavrothal
Posts: 3096
Joined: Mon 24 Aug 2009, 18:23

#8 Post by mavrothal »

MochiMoppel wrote:
mavrothal wrote:You are right, bash42-048 is the patched version.
bash 42?
From your new link I tried bash-4.3.025-i486-1.txz. This works. Thanks!
I do not know which puppy you are using but slacko 5.7/6 have bash 4.1 (which is actually from slackware 13.37). The official slackware 14.1 version (that slacko 5.7/6 is based on) is 4.2. 4.3 is for the next slackware version.
Should not make a lot of difference but given the heavy dependency of puppy in bash I wouldn't be surprise if some issue arrises with a different version.
== [url=http://www.catb.org/esr/faqs/smart-questions.html]Here is how to solve your[/url] [url=https://www.chiark.greenend.org.uk/~sgtatham/bugs.html]Linux problems fast[/url] ==

jamesbond
Posts: 3433
Joined: Mon 26 Feb 2007, 05:02
Location: The Blue Marble

#9 Post by jamesbond »

I think all major version of bash is mostly compatible (4.1 and 4.2 and 4.3; 3.1 and 3.2, etc). That being said, you can get updated bash 4.2 for slackware, for example, here: http://mirrors.slackware.com/slackware/ ... ck14.1.txz.

The vulnerability is *NOT* as big as Heartbleed, because most people don't use bash as a "server" :)
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

#10 Post by greengeek »

MochiMoppel wrote: this code supposedly reveals the bug:

Code: Select all

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
:
I try this in Upup3992 and nothing happens. Is that good?

EDIT : Ok I get it - you have to enter this code in a terminal, not make a bash script out of it...
Upup does seem to have the fault (bash 4.1)
Last edited by greengeek on Thu 25 Sep 2014, 10:05, edited 1 time in total.

jamesbond
Posts: 3433
Joined: Mon 26 Feb 2007, 05:02
Location: The Blue Marble

#11 Post by jamesbond »

greengeek wrote:
MochiMoppel wrote: this code supposedly reveals the bug:

Code: Select all

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
:
I try this in Upup3992 and nothing happens. Is that good?
Make sure you typed everything correctly including the space between ")" and "{" and space between "{" and ":".
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

#12 Post by greengeek »

Thanks jb - just realised I had used the code wrongly - I put it into a bash script instead of directly into a terminal. Edited my post.

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#13 Post by 01micko »

Slacko "updates manager" should have slacko users covered. It's in the menu under "Set up". Once installed, restart X (equivalent to logout, login). Or reboot if extra paranoid :) CORRECTION: it doesn't because a puppy package covers bash. HOWEVER, still run "updates manager" as this refreshes the "patches" repo database.

Enable "patches" repo in PPM if not already. Then search "bash". Install (make sure from "patches repo"), restart X.

Code: Select all

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Puppy Linux Blog - contact me for access

User avatar
James C
Posts: 6618
Joined: Thu 26 Mar 2009, 05:12
Location: Kentucky

#14 Post by James C »

01micko wrote:Slacko "updates manager" should have slacko users covered. It's in the menu under "Set up". Once installed, restart X (equivalent to logout, login). Or reboot if extra paranoid :)

I that fails, enable "patches" repo in PPM. Then search "bash". Install, restart X.

Code: Select all

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
As of this moment not available in "updates manager' but is showing in "patches" repo.

Required updating ppm database before pkg would download.

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#15 Post by 01micko »

@James, see "CORRECTION" :)
Puppy Linux Blog - contact me for access

User avatar
James C
Posts: 6618
Joined: Thu 26 Mar 2009, 05:12
Location: Kentucky

#16 Post by James C »

Installed

Code: Select all

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
# 
Good to see fast security fixes.

User avatar
James C
Posts: 6618
Joined: Thu 26 Mar 2009, 05:12
Location: Kentucky

#17 Post by James C »

Code: Select all

# bash --version
GNU bash, version 4.2.48(2)-release (i486-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
# 

User avatar
SFR
Posts: 1800
Joined: Wed 26 Oct 2011, 21:52

#18 Post by SFR »

http://www.infoq.com/news/2014/09/bash-remote-exploit wrote:There's still vulnerability:
UPDATE 25 September: There is still a vulnerability (CVE-2014-7169) even after the above patches have been applied. Thanks to focus in this area, many people are looking at the code and/or fuzzing it to try and find out what else is possible. This was reported on Twitter by Tavis Ormandy and the proof of concept allows remote overwriting of files owned by that process:

$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Thu 25 Sep 2014 08:33:10 BST
Chet Ramy, the maintainer of Bash, has acknowledged the issue and provided a work-in-progress patch, but it has not been officially released on the Bash website. System adminstrators should consider the currently fixed Bash version to still be vulnerable. When an official patch is provided this post will be updated.
___________

@Mick: Dunno why, but Slackware's bash packages render HOME/END keys unusable in terminal (urxvt, LXTerminal, VTE).
The same happened with bash compiled by myself.
A workaround is to append this to /etc/inputrc:

Code: Select all

"\e[1~": beginning-of-line      # Home Key
"\e[4~": end-of-line            # End Key
Greetings!
[color=red][size=75][O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource[/size][/color]
[b][color=green]Omnia mea mecum porto.[/color][/b]

User avatar
James C
Posts: 6618
Joined: Thu 26 Mar 2009, 05:12
Location: Kentucky

#19 Post by James C »

Tahr 5.8.3 rc1 will update to

Code: Select all

# bash --version
GNU bash, version 4.3.11(1)-release (i686-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
# 

Code: Select all

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
#

anikin
Posts: 994
Joined: Thu 10 May 2012, 06:16

#20 Post by anikin »

In DebianDog, the following 2 commands got me "good" bash:

Code: Select all

apt-get update
apt-get install bash
Pre-udate:

Code: Select all

root@debian:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" 
vulnerable
this is a test
root@debian:~#
Post-update:

Code: Select all

root@debian:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" 
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
root@debian:~#

Post Reply