Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 28 Jun 2017, 13:46
All times are UTC - 4
 Forum index » Off-Topic Area » Security
BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 13 [186 Posts]   Goto page: 1, 2, 3, ..., 11, 12, 13 Next
Author Message
gcmartin

Joined: 14 Oct 2005
Posts: 6730
Location: Earth

PostPosted: Wed 24 Sep 2014, 22:38    Post subject:  BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>  

This problem potentially affect every modern Puppy distro.
FYI <=== See this

Edited: 2014-10-01
3 articles you may want to read as it expresses the problem different to what has been express (misleadingly) in past articles.
What is it "ACTUALLY"?
My modems and routers too!
<=== these companies are chip-board suppliers too.
IOS and JunOS <=== reportedly not affected, though.

Solutions
Updates to BASH addressing issues are reported by membership throughout this thread. Download those solutions as provided.

_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engines or use DogPile

Last edited by gcmartin on Tue 07 Oct 2014, 02:22; edited 6 times in total
Back to top
View user's profile Send private message 
slavvo67

Joined: 12 Oct 2012
Posts: 1378
Location: The other Mr. 305

PostPosted: Wed 24 Sep 2014, 22:55    Post subject:  

YIKES! Do we know if anyone in Puppyland is working on patching things?

This is very bad!
Back to top
View user's profile Send private message 
mavrothal


Joined: 24 Aug 2009
Posts: 2856

PostPosted: Thu 25 Sep 2014, 00:59    Post subject:  

This is a 30 year old bug and as with heartbleet it affects mostly servers. So no need for major panic. Cool

In any case there are updates available for all major distros so ubuntu, debian and slackware-based puppies are covered.

For T2 puppies (2.x, 4.x, warry, racy) the source code should be patched and recompiled to a new pet. This might get BK (or ttuxxx) out of retirement, though being a "mostly server" bug might not worth it... Razz
Latter: Here is bash-3.0.22 for Wary-/Racy-5.5

Edit: correct slackware link. Added wary/racy link

Last edited by mavrothal on Mon 06 Oct 2014, 01:54; edited 12 times in total
Back to top
View user's profile Send private message 
MochiMoppel


Joined: 26 Jan 2011
Posts: 1278
Location: Japan

PostPosted: Thu 25 Sep 2014, 01:46    Post subject:  

mavrothal wrote:
This is a 30 year old bug
Question but bash is "only" 25 years old ....

According to Redhat this code supposedly reveals the bug:
Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

I tried the bash4.2 included in your linked bash-4.2.045-i486-1.txz patch for Slacko and the code still outputs
Code:
 vulnerable
 this is a test

I'm not in panic, but I'm not relieved either Crying or Very sad
Back to top
View user's profile Send private message 
mavrothal


Joined: 24 Aug 2009
Posts: 2856

PostPosted: Thu 25 Sep 2014, 02:02    Post subject:  

MochiMoppel wrote:

I tried the bash4.2 included in your linked bash-4.2.045-i486-1.txz patch for Slacko and the code still outputs
Code:
 vulnerable
 this is a test

I'm not in panic, but I'm not relieved either Crying or Very sad

You are right, bash42-048 is the patched version.
This is the correct link for slackware bash

_________________
Kids all over the world go around with an XO laptop. They deserve one puppy (or many) too Very Happy
Back to top
View user's profile Send private message 
MochiMoppel


Joined: 26 Jan 2011
Posts: 1278
Location: Japan

PostPosted: Thu 25 Sep 2014, 02:12    Post subject:  

<double post>








----

Last edited by MochiMoppel on Thu 25 Sep 2014, 02:26; edited 2 times in total
Back to top
View user's profile Send private message 
MochiMoppel


Joined: 26 Jan 2011
Posts: 1278
Location: Japan

PostPosted: Thu 25 Sep 2014, 02:25    Post subject:  

mavrothal wrote:
You are right, bash42-048 is the patched version.
bash 42?
From your new link I tried bash-4.3.025-i486-1.txz. This works. Thanks!
Back to top
View user's profile Send private message 
mavrothal


Joined: 24 Aug 2009
Posts: 2856

PostPosted: Thu 25 Sep 2014, 03:06    Post subject:  

MochiMoppel wrote:
mavrothal wrote:
You are right, bash42-048 is the patched version.
bash 42?
From your new link I tried bash-4.3.025-i486-1.txz. This works. Thanks!

I do not know which puppy you are using but slacko 5.7/6 have bash 4.1 (which is actually from slackware 13.37). The official slackware 14.1 version (that slacko 5.7/6 is based on) is 4.2. 4.3 is for the next slackware version.
Should not make a lot of difference but given the heavy dependency of puppy in bash I wouldn't be surprise if some issue arrises with a different version.

_________________
Kids all over the world go around with an XO laptop. They deserve one puppy (or many) too Very Happy
Back to top
View user's profile Send private message 
jamesbond

Joined: 26 Feb 2007
Posts: 3051
Location: The Blue Marble

PostPosted: Thu 25 Sep 2014, 05:36    Post subject:  

I think all major version of bash is mostly compatible (4.1 and 4.2 and 4.3; 3.1 and 3.2, etc). That being said, you can get updated bash 4.2 for slackware, for example, here: http://mirrors.slackware.com/slackware/slackware-14.1/patches/packages/bash-4.2.048-i486-1_slack14.1.txz.

The vulnerability is *NOT* as big as Heartbleed, because most people don't use bash as a "server" Smile

_________________
Fatdog64, Slacko and Puppeee user. Puppy user since 2.13.
Contributed Fatdog64 packages thread.
Back to top
View user's profile Send private message 
greengeek


Joined: 20 Jul 2010
Posts: 4583
Location: New Zealand

PostPosted: Thu 25 Sep 2014, 05:57    Post subject:  

MochiMoppel wrote:
this code supposedly reveals the bug:
Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
:

I try this in Upup3992 and nothing happens. Is that good?

EDIT : Ok I get it - you have to enter this code in a terminal, not make a bash script out of it...
Upup does seem to have the fault (bash 4.1)

Last edited by greengeek on Thu 25 Sep 2014, 06:05; edited 1 time in total
Back to top
View user's profile Send private message 
jamesbond

Joined: 26 Feb 2007
Posts: 3051
Location: The Blue Marble

PostPosted: Thu 25 Sep 2014, 06:04    Post subject:  

greengeek wrote:
MochiMoppel wrote:
this code supposedly reveals the bug:
Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
:

I try this in Upup3992 and nothing happens. Is that good?

Make sure you typed everything correctly including the space between ")" and "{" and space between "{" and ":".

_________________
Fatdog64, Slacko and Puppeee user. Puppy user since 2.13.
Contributed Fatdog64 packages thread.
Back to top
View user's profile Send private message 
greengeek


Joined: 20 Jul 2010
Posts: 4583
Location: New Zealand

PostPosted: Thu 25 Sep 2014, 06:06    Post subject:  

Thanks jb - just realised I had used the code wrongly - I put it into a bash script instead of directly into a terminal. Edited my post.
Back to top
View user's profile Send private message 
01micko


Joined: 11 Oct 2008
Posts: 8651
Location: qld

PostPosted: Thu 25 Sep 2014, 06:26    Post subject:  

Slacko "updates manager" should have slacko users covered. It's in the menu under "Set up". Once installed, restart X (equivalent to logout, login). Or reboot if extra paranoid Smile CORRECTION: it doesn't because a puppy package covers bash. HOWEVER, still run "updates manager" as this refreshes the "patches" repo database.

Enable "patches" repo in PPM if not already. Then search "bash". Install (make sure from "patches repo"), restart X.

Code:
# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

_________________
Puppy Linux Blog - contact me for access
Back to top
View user's profile Send private message Visit poster's website 
James C


Joined: 26 Mar 2009
Posts: 6696
Location: Kentucky

PostPosted: Thu 25 Sep 2014, 06:53    Post subject:  

01micko wrote:
Slacko "updates manager" should have slacko users covered. It's in the menu under "Set up". Once installed, restart X (equivalent to logout, login). Or reboot if extra paranoid Smile

I that fails, enable "patches" repo in PPM. Then search "bash". Install, restart X.

Code:
# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test


As of this moment not available in "updates manager' but is showing in "patches" repo.

Required updating ppm database before pkg would download.
Back to top
View user's profile Send private message 
01micko


Joined: 11 Oct 2008
Posts: 8651
Location: qld

PostPosted: Thu 25 Sep 2014, 06:55    Post subject:  

@James, see "CORRECTION" Smile
_________________
Puppy Linux Blog - contact me for access
Back to top
View user's profile Send private message Visit poster's website 
Display posts from previous:   Sort by:   
Page 1 of 13 [186 Posts]   Goto page: 1, 2, 3, ..., 11, 12, 13 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0679s ][ Queries: 12 (0.0041s) ][ GZIP on ]