BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>
Shell Shock Bug > dejan555's pet also works in Carolina 1.2
Hi All,
dejan555's pet, http://www.murga-linux.com/puppy/viewto ... 678#800678, also works in Carolina 1.2
Thanks dejan555.
The above was written before I checked the Carolina thread. Geoffrey has also responded to the threat. A Carolina-specific BASH update pet can be obtained thru Carolina's Package Management. It's available here: http://smokey01.com/carolina/pages/recent-repo.html It will probably also work in Racy and Saluki. Thanks Geoffrey.
mikeslr
dejan555's pet, http://www.murga-linux.com/puppy/viewto ... 678#800678, also works in Carolina 1.2
Thanks dejan555.
The above was written before I checked the Carolina thread. Geoffrey has also responded to the threat. A Carolina-specific BASH update pet can be obtained thru Carolina's Package Management. It's available here: http://smokey01.com/carolina/pages/recent-repo.html It will probably also work in Racy and Saluki. Thanks Geoffrey.
mikeslr
Edit: the latest is 030
Compiled the latest patch 026 in Carolina, I used instructions from here, needs modifying to suit as default is installed to /usr/local, change the 25 to the latest patch that's available which at the moment is 26.
b̶a̶s̶h̶-̶4̶.̶3̶.̶2̶6̶-̶1̶.̶p̶e̶t̶ (REMOVED)
b̶a̶s̶h̶-̶4̶.̶3̶.̶2̶8̶-̶1̶.̶p̶e̶t̶ (REMOVED)
b̶a̶s̶h̶-̶4̶.̶3̶.̶2̶9̶-̶1̶.̶p̶e̶t̶ (REMOVED)
bash-4.3.30-1.pet
b̶a̶s̶h̶_̶D̶O̶C̶-̶4̶.̶3̶.̶2̶6̶-̶1̶.̶p̶e̶t̶ (REMOVED)
b̶a̶s̶h̶_̶D̶O̶C̶-̶4̶.̶3̶.̶2̶8̶-̶1̶.̶p̶e̶t̶ (REMOVED)
b̶a̶s̶h̶_̶D̶O̶C̶-̶4̶.̶3̶.̶2̶9̶-̶1̶.̶p̶e̶t̶ (REMOVED)
bash_DOC-4.3.30-1.pet
b̶a̶s̶h̶_̶N̶L̶S̶-̶4̶.̶3̶.̶2̶6̶-̶1̶.̶p̶e̶t̶ (REMOVED)
b̶a̶s̶h̶_̶N̶L̶S̶-̶4̶.̶3̶.̶2̶8̶-̶1̶.̶p̶e̶t̶ (REMOVED)
b̶a̶s̶h̶_̶N̶L̶S̶-̶4̶.̶3̶.̶2̶9̶-̶1̶.̶p̶e̶t̶ (REMOVED)
bash_NLS-4.3.30-1.pet
Compiled the latest patch 026 in Carolina, I used instructions from here, needs modifying to suit as default is installed to /usr/local, change the 25 to the latest patch that's available which at the moment is 26.
Code: Select all
mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
for i in $(seq -f "%03g" 0 25); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done
#build and install
./configure && make && make install
cd ..
cd ..
rm -r src
Code: Select all
# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
date
cat: /tmp/echo: No such file or directory
b̶a̶s̶h̶-̶4̶.̶3̶.̶2̶8̶-̶1̶.̶p̶e̶t̶ (REMOVED)
b̶a̶s̶h̶-̶4̶.̶3̶.̶2̶9̶-̶1̶.̶p̶e̶t̶ (REMOVED)
bash-4.3.30-1.pet
b̶a̶s̶h̶_̶D̶O̶C̶-̶4̶.̶3̶.̶2̶6̶-̶1̶.̶p̶e̶t̶ (REMOVED)
b̶a̶s̶h̶_̶D̶O̶C̶-̶4̶.̶3̶.̶2̶8̶-̶1̶.̶p̶e̶t̶ (REMOVED)
b̶a̶s̶h̶_̶D̶O̶C̶-̶4̶.̶3̶.̶2̶9̶-̶1̶.̶p̶e̶t̶ (REMOVED)
bash_DOC-4.3.30-1.pet
b̶a̶s̶h̶_̶N̶L̶S̶-̶4̶.̶3̶.̶2̶6̶-̶1̶.̶p̶e̶t̶ (REMOVED)
b̶a̶s̶h̶_̶N̶L̶S̶-̶4̶.̶3̶.̶2̶8̶-̶1̶.̶p̶e̶t̶ (REMOVED)
b̶a̶s̶h̶_̶N̶L̶S̶-̶4̶.̶3̶.̶2̶9̶-̶1̶.̶p̶e̶t̶ (REMOVED)
bash_NLS-4.3.30-1.pet
Last edited by Geoffrey on Mon 06 Oct 2014, 05:22, edited 3 times in total.
[b]Carolina:[/b] [url=http://smokey01.com/carolina/pages/recent-repo.html]Recent Repository Additions[/url]
[img]https://dl.dropboxusercontent.com/s/ahfade8q4def1lq/signbot.gif[/img]
[img]https://dl.dropboxusercontent.com/s/ahfade8q4def1lq/signbot.gif[/img]
- michaellowe
- Posts: 66
- Joined: Sat 17 Dec 2011, 08:33
- Location: The Garden
https://launchpad.net/~ubuntu-security-proposed/+archive/ubu
HI everyone It was suggested to me by cimarron to apply this patch found at: https://launchpad.net/~ubuntu-security- ... ld/6408041 and so I did but I have an i686 architecture. I applied the patch and rebooted. how will I know if its working? thanks in advance
Smash forehead on keyboard to continue.....
well thats at least how some of us deal with ba$h !
well thats at least how some of us deal with ba$h !
@michaellowe
Type in the terminal, you should see as shown below, which in my case is the Carolina build i686
Type
Code: Select all
bash --version
Code: Select all
GNU bash, version 4.3.26(1)-release (i686-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
[b]Carolina:[/b] [url=http://smokey01.com/carolina/pages/recent-repo.html]Recent Repository Additions[/url]
[img]https://dl.dropboxusercontent.com/s/ahfade8q4def1lq/signbot.gif[/img]
[img]https://dl.dropboxusercontent.com/s/ahfade8q4def1lq/signbot.gif[/img]
- michaellowe
- Posts: 66
- Joined: Sat 17 Dec 2011, 08:33
- Location: The Garden
Ba$h Version
@ Geoffrey
please find attached a screen shot of my bash version.
I'm on precise 5.7.1 with kernel 3.9.11
am I good to go? cheers
please find attached a screen shot of my bash version.
I'm on precise 5.7.1 with kernel 3.9.11
am I good to go? cheers
- Attachments
-
- bash version.png
- (20.22 KiB) Downloaded 4240 times
Smash forehead on keyboard to continue.....
well thats at least how some of us deal with ba$h !
well thats at least how some of us deal with ba$h !
As I posted above, to check if the new (second) fix is working, paste this line into the terminal:
If your system is vulnerable, the time and date information will be output on the screen (and a file called /tmp/echo will be created):
If your system is not vulnerable, you will see output similar to:
Code: Select all
cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
Code: Select all
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Fri Sep 26 11:49:58 GMT 2014
Code: Select all
date
cat: /tmp/echo: No such file or directory
Last edited by cimarron on Mon 29 Sep 2014, 13:13, edited 2 times in total.
Here is bash 3.0.20 for wary/racy 5.5 that also passes the test.
Please uninstall older versions if you installed it.
A note regarding which version of bash to install.
As mentioned before all bash versions will mostly work. However, newer is not necessarily better . bash-3.x and bash-4.x have some incompatibilities. If your puppy is build with 3.x bash and you install 4.x, will mostly work but some scripts may fail or misbehave.
So check your installed bash version (just type: "bash --version" in terminal) and install the relevant one
Code: Select all
curl https://shellshocker.net/shellshock_test.sh | bash
Please uninstall older versions if you installed it.
A note regarding which version of bash to install.
As mentioned before all bash versions will mostly work. However, newer is not necessarily better . bash-3.x and bash-4.x have some incompatibilities. If your puppy is build with 3.x bash and you install 4.x, will mostly work but some scripts may fail or misbehave.
So check your installed bash version (just type: "bash --version" in terminal) and install the relevant one
Last edited by mavrothal on Thu 02 Oct 2014, 06:03, edited 4 times in total.
== [url=http://www.catb.org/esr/faqs/smart-questions.html]Here is how to solve your[/url] [url=https://www.chiark.greenend.org.uk/~sgtatham/bugs.html]Linux problems fast[/url] ==
EDIT: See this post for latest version(s)
Last edited by dejan555 on Wed 01 Oct 2014, 20:10, edited 1 time in total.
puppy.b0x.me stuff mirrored [url=https://drive.google.com/open?id=0B_Mb589v0iCXNnhSZWRwd3R2UWs]HERE[/url] or [url=http://archive.org/details/Puppy_Linux_puppy.b0x.me_mirror]HERE[/url]
Re: is DASH one answer to this vulnerability?
gcmartin wrote:On a comment from a forum member, DASH may not have this vulnerability. Wondering about its compatibility.One other note:
- Can DASH replace BASH by removing BASH and setting a link to DASH along with PATH changes?
- Is that reasonable or inviting problems?
This problem may also exist in embedded systems which use BASH....like your routers, etc. It could explain how some system/networks were breached assuming there are hackers who knew of this area of exposure.
They're certainly not 100% compatible and some scripts that use bash specific features instead external cli apps will have errors, also:
Lindh’s NAS ran Bash alternative Dash by default and a tweet from security researcher Dragos Ruiu appeared to back up Lindh’s early research. If derivatives of Bash are also vulnerable to Shellshock, this would widen the number of potential targets massively.
“We should probably not make big a fuss about that just yet, but if it turns out that some old Dash shells are also vulnerable, then consumer appliances will definitely be at risk,
puppy.b0x.me stuff mirrored [url=https://drive.google.com/open?id=0B_Mb589v0iCXNnhSZWRwd3R2UWs]HERE[/url] or [url=http://archive.org/details/Puppy_Linux_puppy.b0x.me_mirror]HERE[/url]
- OscarTalks
- Posts: 2196
- Joined: Mon 06 Feb 2012, 00:58
- Location: London, England
I was testing Slacko 5.7 with the first slackware patch applied yesterday and did notice that Frisbee seemed dead as a dodo. Other network tools were still OK.cimarron wrote:NOTE: When I installed either the first or second fix, using ubuntu precise packages for my precise 5.7.1 pup, it seems to have broken Frisbee somewhat.
Oscar in England
Another, even more annoying, issue with Slackware's bash binary: when I am typing a long line, that exceeds the right margin, it no longer wraps to the next line, but instead some maddening, horizontal scroll mode turns on.SFR wrote:@Mick: Dunno why, but Slackware's bash packages render HOME/END keys unusable in terminal (urxvt, LXTerminal, VTE).
The same happened with bash compiled by myself.
A workaround is to append this to /etc/inputrc:Greetings!Code: Select all
"\e[1~": beginning-of-line # Home Key "\e[4~": end-of-line # End Key
It's impossible to highlight & copy such over-extended line!
Ok, it took me some time and nerves, but long story short: after I compiled bash with '--with-curses' (also literally) both issues are gone.
All patches applied, pkg for Slacko 32bit: bash-4.1.17.pet.
MD5: 65d5f2f8c8447a1e87936e3976d5e947 bash-4.1.17.pet
EDIT: updated to the latest (#14) patch.
EDIT2: updated to the latest (#17) patch.
Greetings!
Last edited by SFR on Tue 25 Nov 2014, 20:18, edited 2 times in total.
[color=red][size=75][O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource[/size][/color]
[b][color=green]Omnia mea mecum porto.[/color][/b]
[b][color=green]Omnia mea mecum porto.[/color][/b]
- prehistoric
- Posts: 1744
- Joined: Tue 23 Oct 2007, 17:34
Applied dejan555 second version to stemsee's Puppy Precise 5.7.1 and ran cimarron's test script in console. So far, so good.
We need more testers, and we have a problem explaining the requirements to people who do not regularly compile code, and are not aware of the genealogy of the Puppy they are running. It took a while for me to decide that a 32-bit .deb package would work, and finding correct binaries on Ubuntu sites is currently challenging. When I started I was not sure if I was running a 32-bit PAE kernel or 64-bit kernel. For those with less experience this would be a serious obstacle.
We also need better explanations of the ancestry of the many Pupplets out there. Not everyone keeps up with code names used by Ubuntu, Debian or Puppy.
At first I thought the fix had failed, because I also got the syntax warning in cimarron's post. Then I realized the syntax error was necessary to run the test. The important thing was that no output file was created as a result. Before testing becomes more widespread we need to explain such details so that ordinary users don't have to puzzle this out on their own.
Any feature of open source code which can sit there for a couple of decades without anyone noticing has to be pretty obscure. This fits that description.
We need more testers, and we have a problem explaining the requirements to people who do not regularly compile code, and are not aware of the genealogy of the Puppy they are running. It took a while for me to decide that a 32-bit .deb package would work, and finding correct binaries on Ubuntu sites is currently challenging. When I started I was not sure if I was running a 32-bit PAE kernel or 64-bit kernel. For those with less experience this would be a serious obstacle.
We also need better explanations of the ancestry of the many Pupplets out there. Not everyone keeps up with code names used by Ubuntu, Debian or Puppy.
At first I thought the fix had failed, because I also got the syntax warning in cimarron's post. Then I realized the syntax error was necessary to run the test. The important thing was that no output file was created as a result. Before testing becomes more widespread we need to explain such details so that ordinary users don't have to puzzle this out on their own.
Any feature of open source code which can sit there for a couple of decades without anyone noticing has to be pretty obscure. This fits that description.
As this article: http://cloudgames.com/blog/fix-bash-exp ... u-apt-get/
implies, older debian/ubuntu based systems, can use bash from the current stable release. No need to search/wait for special, "old" versions. Makes sense.
implies, older debian/ubuntu based systems, can use bash from the current stable release. No need to search/wait for special, "old" versions. Makes sense.
I happen to be running a small webserver in Puppy 4.31 small on an Igel thin client.mavrothal wrote:Here is bash 3.0.18 for wary/racy 5.5 that also passes thetest.Code: Select all
cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
http://www.murga-linux.com/puppy/viewto ... 271#508271
Not knowing how to switch shells for the vulnerable server functions, I'm grateful for this. Thanks.
Code: Select all
# bash -version
GNU bash, version 3.00.18(1)-release (i486-pc-linux-gnu)
Copyright (C) 2004 Free Software Foundation, Inc.
# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
date
cat: /tmp/echo: No such file or directory
# cat /etc/puppyversion
431
BASH exposure expressed as bigger than Heartbleed.
As suggested by Cimarron in an earlier post, I typed the following into the terminal to test Bash in my installation:
cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
The result I got was:
env: can't execute 'Bash': No such file or directory
cat: /temp/echo: No such file or directory
Hopefully, although the phrasing is not identical to that Cimarron shows for a non-vulnerable system, it would seem that as no date is shown, Bash is not vulnerable on my system at present. I would be grateful if the Puppy experts out there could confirm this (or otherwise) as I am still fairly naive when it comes to the under the bonnet/hood workings of Linux systems.
Taking Prehistoric's comment ("Before testing becomes more widespread we need to explain such details so that ordinary users don't have to puzzle this out on their own."), as one of those 'ordinary' users, I would appreciate any explanation in not too technical language.
I have considered removing Puppy Precise 5.7.1 from my dual boot (XP Pro) system by booting up my XP installation disc, opening the 'Repair' option and running 'fixmbr'. I would then return to using live discs for Puppy but perhaps there is no need to take such a drastic step - it's a question of lack of confidence caused by a lack of knowledge on my part. I'm more confident with Windows XP because I know it better but like Puppy very much and decided on dual booting for security reasons when Microsoft support for XP finished - I though I use Puppy for the bulk of my internet activity, so this Bash issue is a little ironic.
cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
The result I got was:
env: can't execute 'Bash': No such file or directory
cat: /temp/echo: No such file or directory
Hopefully, although the phrasing is not identical to that Cimarron shows for a non-vulnerable system, it would seem that as no date is shown, Bash is not vulnerable on my system at present. I would be grateful if the Puppy experts out there could confirm this (or otherwise) as I am still fairly naive when it comes to the under the bonnet/hood workings of Linux systems.
Taking Prehistoric's comment ("Before testing becomes more widespread we need to explain such details so that ordinary users don't have to puzzle this out on their own."), as one of those 'ordinary' users, I would appreciate any explanation in not too technical language.
I have considered removing Puppy Precise 5.7.1 from my dual boot (XP Pro) system by booting up my XP installation disc, opening the 'Repair' option and running 'fixmbr'. I would then return to using live discs for Puppy but perhaps there is no need to take such a drastic step - it's a question of lack of confidence caused by a lack of knowledge on my part. I'm more confident with Windows XP because I know it better but like Puppy very much and decided on dual booting for security reasons when Microsoft support for XP finished - I though I use Puppy for the bulk of my internet activity, so this Bash issue is a little ironic.
- prehistoric
- Posts: 1744
- Joined: Tue 23 Oct 2007, 17:34
@Kester,
You don't need to do anything to invoke Bash from a console. It is the default command-line processor. If you tried to execute "Bash" you would run into the problem that a Unix/Linux console is case sensitive, so "Bash" is different from "bash", which is generally invoked automatically as "/bin/sh" without you having to specify anything. You may not even find the name "bash" in your /bin directory.
You can also save yourself some tricky typing by simply highlighting the test command in your browser, directly from this web page, and then doing a "middle-click" in your console window. This will copy highlighted text without needing a cut-and-paste.
You don't need to do anything to invoke Bash from a console. It is the default command-line processor. If you tried to execute "Bash" you would run into the problem that a Unix/Linux console is case sensitive, so "Bash" is different from "bash", which is generally invoked automatically as "/bin/sh" without you having to specify anything. You may not even find the name "bash" in your /bin directory.
You can also save yourself some tricky typing by simply highlighting the test command in your browser, directly from this web page, and then doing a "middle-click" in your console window. This will copy highlighted text without needing a cut-and-paste.
[quote]I appreciate the effort made in patch bash43-026, but this patch doesn't even BEGIN to solve the underlying shellshock problem. This patch just continues the "whack-a-mole" job of fixing parsing errors that began with the first patch. Bash's parser is certain have many many many other vulnerabilities; it was never designed to be security-relevant…John Haxby recently posted that "A friend of mine said this could be a vulnerability gift that keeps on giving.