Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 24 Aug 2019, 07:35
All times are UTC - 4
 Forum index » Off-Topic Area » Security
BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>
Post new topic   Reply to topic View previous topic :: View next topic
Page 9 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, ..., 7, 8, 9, 10, 11, 12, 13 Next
Author Message
OscarTalks


Joined: 05 Feb 2012
Posts: 1987
Location: London, England

PostPosted: Wed 01 Oct 2014, 14:51    Post subject:  

In Dpup Wheezy I am using the official Debian patched update
bash_4.2+dfsg-0.1+deb7u3_i386.deb
Seems to pass all the tests
Code:
curl -k https://shellshocker.net/shellshock_test.sh | bash
wheezy-bashtest.jpg
 Description   All systems green
 Filesize   51.13 KB
 Viewed   1370 Time(s)

wheezy-bashtest.jpg


_________________
Oscar in England

Back to top
View user's profile Send private message 
dejan555


Joined: 30 Nov 2008
Posts: 2807
Location: Montenegro

PostPosted: Wed 01 Oct 2014, 15:04    Post subject:  

Yes, I can confirm that my bash shows (redir_stack bug) as vulnerable
I was getting sources from bash's official git for compiling, maybe there are some unofficial patches that are not yet merged into mainline bash?

_________________
puppy.b0x.me stuff mirrored HERE or HERE
Back to top
View user's profile Send private message Visit poster's website MSN Messenger 
neversaynever

Joined: 27 Mar 2014
Posts: 17

PostPosted: Wed 01 Oct 2014, 15:04    Post subject:  

Slacko 5.7
The patch bash-4.2.050 installed by PPM seems to pass all the test.
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1876
Location: Italy

PostPosted: Wed 01 Oct 2014, 15:33    Post subject:  

Patched bash from ubuntu and debian have exclusive dependencies and don't work in old puppies.
Back to top
View user's profile Send private message 
dejan555


Joined: 30 Nov 2008
Posts: 2807
Location: Montenegro

PostPosted: Wed 01 Oct 2014, 15:52    Post subject:  

Patch 28 solves the redir_stack bug

bash-4.3.28-1-i486-dpup487.pet

Code:
35 root:~$ bash --version
GNU bash, version 4.3.28(1)-release (i486-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
36 root:~$ curl --insecure https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2009  100  2009    0     0   2601      0 --:--:-- --:--:-- --:--:--  2865
CVE-2014-6271 (original shellshock): not vulnerable
bash: shellshocker: command not found
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable

_________________
puppy.b0x.me stuff mirrored HERE or HERE
Back to top
View user's profile Send private message Visit poster's website MSN Messenger 
sheldonisaac

Joined: 21 Jun 2009
Posts: 845
Location: Philadelphia, PA

PostPosted: Wed 01 Oct 2014, 17:37    Post subject: dejan555's patching  

dejan555 wrote:

http://meownplanet.net/dejan/dpup487/pkgs/bash-4.3.28-1-i486-dpup487.pet

Works fine on this computer, running rerwin's lupusuper2

Thanks a lot for your work, dejan555 !!

Sheldon

_________________
Dell E6410: Xenial, Dpup Stretch, etc
Dell Mini 9, Acer Aspire One, EeePC 1018P, PowerBook G4
Intel D865GBF, Intel DQ35JOE, Dell Vostro 430
Back to top
View user's profile Send private message 
ozsouth

Joined: 01 Jan 2010
Posts: 556
Location: S.E Australia

PostPosted: Wed 01 Oct 2014, 18:53    Post subject: SFR patch passes curl test  

SFR's patch (page 5) passes curl test in Slacko 5.7.0
Back to top
View user's profile Send private message 
Geoffrey


Joined: 30 May 2010
Posts: 2377
Location: Queensland

PostPosted: Wed 01 Oct 2014, 19:09    Post subject:  

Edit: updated to bash-4.3.39
mavrothal wrote:
Do we know anything more about rg66's version? ie source and configure options?


The latest patch 28 seems to have fixed it, I'm pretty sure that rg66 used the same sources as I did and compiled with
Code:
 ./configure --prefix=/ --with-curses


I compiled using
Code:
./configure --with-curses --bindir=/bin --datarootdir=/usr/share


Code:
bash --version
GNU bash, version 4.3.28(1)-release (i686-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
#
# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2009  100  2009    0     0   1398      0  0:00:01  0:00:01 --:--:--  1520
CVE-2014-6271 (original shellshock): not vulnerable
bash: shellshocker: command not found
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable


bash-4.3.39.pet

bash_DOC-4.3.39.pet

bash_NLS-4.3.39.pet

_________________
Carolina: Recent Repository Additions


Last edited by Geoffrey on Fri 05 Jun 2015, 01:58; edited 3 times in total
Back to top
View user's profile Send private message 
rolf

Joined: 28 Dec 2008
Posts: 34

PostPosted: Wed 01 Oct 2014, 19:50    Post subject:  

Code:
# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
..
CVE-2014-6271 (original shellshock): not vulnerable
bash: shellshocker: command not found
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
bash: line 44: 28799 Segmentation fault      bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null                                       
CVE-2014-7186 (redir_stack bug): VULNERABLE                                                     
bash: line 129: syntax error near `x129'                                                         
bash: line 129: `for x129 in ; do :'                                                             
CVE-2014-7187 (nested loops off by one): VULNERABLE                                             

# bash -version                                                                                 
GNU bash, version 3.00.19(1)-release (i486-pc-linux-gnu)                                         
Copyright (C) 2004 Free Software Foundation, Inc.

# cat /etc/puppyversion
431


Tested per https://shellshocker.net/ as pointed out by James C

Oh, mavrothal! Smile
Back to top
View user's profile Send private message 
darry1966


Joined: 26 Feb 2012
Posts: 897

PostPosted: Wed 01 Oct 2014, 20:18    Post subject:  

Same results 4.12 with the 3.0.19 patch from Tuxtoo. However tried the same test in my updated 4.12 with bash-4.3.28-1.pet and seems to be no problems with frisbee still working and passing all tests. Can someone with a "normal" 4.12/4.21 let me know of any problems they strike. By the way petget still works and terminal. Firewall, Seamonkey and flash no obvious things noticed.
Back to top
View user's profile Send private message 
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Wed 01 Oct 2014, 23:30    Post subject:  

dejan555 wrote:
Patch 28 solves the redir_stack bug

bash-4.3.28-1-i486-dpup487.pet


Raring 3.9.9.2

Code:
# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2009  100  2009    0     0   2954      0 --:--:-- --:--:-- --:--:--  4091
CVE-2014-6271 (original shellshock): not vulnerable
bash: shellshocker: command not found
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
#
Back to top
View user's profile Send private message 
mavrothal


Joined: 24 Aug 2009
Posts: 3056

PostPosted: Thu 02 Oct 2014, 01:40    Post subject:  

rolf wrote:

Tested per https://shellshocker.net/ as pointed out by James C

Oh, mavrothal! Smile

well... I said "till the next version" didn't IWink

So patch 20 just came out and now bash 3.0.20 is fine. Very Happy

However, now that the "function" worm of cans is opened I would not be surprised if 21 and 22 are around the corner. Before you through bash out of your system though keep in mind CVE-2014-7186 and CVE-2014-7187 (the vulnerabilities in 3.0.19) could only be executed locally, ie after someone got hold of your machine, but by then (s)he can do anything to it...
bash3.0.20.png
 Description   
 Filesize   122.28 KB
 Viewed   1167 Time(s)

bash3.0.20.png


_________________
== Here is how to solve your Linux problems fast ==
Back to top
View user's profile Send private message 
darry1966


Joined: 26 Feb 2012
Posts: 897

PostPosted: Thu 02 Oct 2014, 03:35    Post subject:  

Many Thanks
Back to top
View user's profile Send private message 
rolf

Joined: 28 Dec 2008
Posts: 34

PostPosted: Thu 02 Oct 2014, 07:52    Post subject:  

Code:
# bash -version
GNU bash, version 3.00.20(1)-release (i486-pc-linux-gnu)
Copyright (C) 2004 Free Software Foundation, Inc.
# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2009  100  2009    0     0   3559      0 --:--:-- --:--:-- --:--:--  4829
CVE-2014-6271 (original shellshock): not vulnerable
bash: shellshocker: command not found
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
# cat /etc/puppyversion
431


Thanks, again, mavrothal. Take a break! Wink
Back to top
View user's profile Send private message 
keniv

Joined: 06 Oct 2009
Posts: 550
Location: Scotland

PostPosted: Thu 02 Oct 2014, 09:40    Post subject:  

Confirm dejan555's bash-4.3.28-1-i486-dpup487.pet working on Sulu 002 (updated Lucid 528) . I think this is the same version as lupusuper 2 mentioned by sheldonissac in an earlier post. It passes latest test.

Thanks again,

Ken.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 9 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, ..., 7, 8, 9, 10, 11, 12, 13 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0786s ][ Queries: 13 (0.0147s) ][ GZIP on ]