Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sun 18 Aug 2019, 17:53
All times are UTC - 4
 Forum index » Off-Topic Area » Security
BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>
Post new topic   Reply to topic View previous topic :: View next topic
Page 4 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, 4, 5, 6, ..., 11, 12, 13 Next
Author Message
cimarron


Joined: 30 May 2013
Posts: 293

PostPosted: Fri 26 Sep 2014, 17:03    Post subject:  

Looks like a more complete fix has been released:
New “Shellshock” patch rushed out to resolve gaps in first fix
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762761

Ubuntu-based pups can get new bash packages here:
https://launchpad.net/ubuntu/+source/bash

Redhat provides this new test to see if the more complete fix works:

Quote:
The fix for CVE-2014-7169 ensures that the system is protected from the file creation issue. To test if your version of Bash is vulnerable to CVE-2014-7169, run the following command:

$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Fri Sep 26 11:49:58 GMT 2014

If your system is vulnerable, the time and date information will be output on the screen and a file called /tmp/echo will be created.

If your system is not vulnerable, you will see output similar to:

$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory

The new Precise package seems to work in Precise puppy 5.7.1 (I had to uninstall the first bash fix package before installing the new one).


WARNING: When I installed either the first or second fix, using ubuntu precise packages for my precise 5.7.1 pup, it seems to have broken Frisbee. It connects okay (to preconfigured network) and I can run the manager, but no networks show up in the scan results window, and no interfaces show up in the interfaces tab window. Anyone else have this problem?

When I uninstalled the bash fix (in my frugal install), Frisbee worked fine. (I've put this note in the Frisbee thread as well.)


Update: There's a new version of bash out now that does not break Frisbee. Geoffrey provided it in another thread (and it's been tested in a number of pups):

bash 4.3.27
(does not break Frisbee)

Last edited by cimarron on Mon 29 Sep 2014, 09:34; edited 5 times in total
Back to top
View user's profile Send private message 
mikeslr


Joined: 16 Jun 2008
Posts: 3271
Location: 500 seconds from Sol

PostPosted: Fri 26 Sep 2014, 19:48    Post subject: Shell Shock Bug > dejan555's pet also works in Carolina 1.2  

Hi All,

dejan555's pet, http://www.murga-linux.com/puppy/viewtopic.php?p=800678#800678, also works in Carolina 1.2

Thanks dejan555.

The above was written before I checked the Carolina thread. Geoffrey has also responded to the threat. A Carolina-specific BASH update pet can be obtained thru Carolina's Package Management. It's available here: http://smokey01.com/carolina/pages/recent-repo.html It will probably also work in Racy and Saluki. Thanks Geoffrey.

mikeslr
Back to top
View user's profile Send private message 
Geoffrey


Joined: 30 May 2010
Posts: 2377
Location: Queensland

PostPosted: Fri 26 Sep 2014, 20:11    Post subject:  

Edit: the latest is 030
Compiled the latest patch 026 in Carolina, I used instructions from here, needs modifying to suit as default is installed to /usr/local, change the 25 to the latest patch that's available which at the moment is 26.
Code:
mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
for i in $(seq -f "%03g" 0 25); do wget     http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done
#build and install
./configure && make && make install
cd ..
cd ..
rm -r src


Code:
# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
date
cat: /tmp/echo: No such file or directory


b̶a̶s̶h̶-̶4̶.̶3̶.̶2̶6̶-̶1̶.̶p̶e̶t̶ (REMOVED)

b̶a̶s̶h̶-̶4̶.̶3̶.̶2̶8̶-̶1̶.̶p̶e̶t̶ (REMOVED)

b̶a̶s̶h̶-̶4̶.̶3̶.̶2̶9̶-̶1̶.̶p̶e̶t̶ (REMOVED)

bash-4.3.30-1.pet

b̶a̶s̶h̶_̶D̶O̶C̶-̶4̶.̶3̶.̶2̶6̶-̶1̶.̶p̶e̶t̶ (REMOVED)

b̶a̶s̶h̶_̶D̶O̶C̶-̶4̶.̶3̶.̶2̶8̶-̶1̶.̶p̶e̶t̶ (REMOVED)

b̶a̶s̶h̶_̶D̶O̶C̶-̶4̶.̶3̶.̶2̶9̶-̶1̶.̶p̶e̶t̶ (REMOVED)

bash_DOC-4.3.30-1.pet

b̶a̶s̶h̶_̶N̶L̶S̶-̶4̶.̶3̶.̶2̶6̶-̶1̶.̶p̶e̶t̶ (REMOVED)

b̶a̶s̶h̶_̶N̶L̶S̶-̶4̶.̶3̶.̶2̶8̶-̶1̶.̶p̶e̶t̶ (REMOVED)

b̶a̶s̶h̶_̶N̶L̶S̶-̶4̶.̶3̶.̶2̶9̶-̶1̶.̶p̶e̶t̶ (REMOVED)

bash_NLS-4.3.30-1.pet

_________________
Carolina: Recent Repository Additions


Last edited by Geoffrey on Mon 06 Oct 2014, 01:22; edited 3 times in total
Back to top
View user's profile Send private message 
michaellowe


Joined: 17 Dec 2011
Posts: 69
Location: The Garden

PostPosted: Fri 26 Sep 2014, 20:18    Post subject: https://launchpad.net/~ubuntu-security-proposed/+archive/ubu  

HI everyone It was suggested to me by cimarron to apply this patch found at: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6408041 and so I did but I have an i686 architecture. I applied the patch and rebooted. how will I know if its working? thanks in advance
_________________
Smash forehead on keyboard to continue.....
well thats at least how some of us deal with ba$h !
Back to top
View user's profile Send private message 
Geoffrey


Joined: 30 May 2010
Posts: 2377
Location: Queensland

PostPosted: Fri 26 Sep 2014, 20:31    Post subject:  

@michaellowe

Type
Code:
bash --version
in the terminal, you should see as shown below, which in my case is the Carolina build i686

Code:
GNU bash, version 4.3.26(1)-release (i686-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

_________________
Carolina: Recent Repository Additions

Back to top
View user's profile Send private message 
michaellowe


Joined: 17 Dec 2011
Posts: 69
Location: The Garden

PostPosted: Fri 26 Sep 2014, 21:03    Post subject: Ba$h Version  

@ Geoffrey

please find attached a screen shot of my bash version.
I'm on precise 5.7.1 with kernel 3.9.11



am I good to go? cheers
bash version.png
 Description   
 Filesize   20.22 KB
 Viewed   4230 Time(s)

bash version.png


_________________
Smash forehead on keyboard to continue.....
well thats at least how some of us deal with ba$h !
Back to top
View user's profile Send private message 
cimarron


Joined: 30 May 2013
Posts: 293

PostPosted: Fri 26 Sep 2014, 21:11    Post subject:  

As I posted above, to check if the new (second) fix is working, paste this line into the terminal:
Code:
cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo


If your system is vulnerable, the time and date information will be output on the screen (and a file called /tmp/echo will be created):
Code:
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Fri Sep 26 11:49:58 GMT 2014


If your system is not vulnerable, you will see output similar to:
Code:
date
cat: /tmp/echo: No such file or directory

Last edited by cimarron on Mon 29 Sep 2014, 09:13; edited 2 times in total
Back to top
View user's profile Send private message 
mavrothal


Joined: 24 Aug 2009
Posts: 3056

PostPosted: Sat 27 Sep 2014, 01:39    Post subject:  

Here is bash 3.0.20 for wary/racy 5.5 that also passes the
Code:
curl https://shellshocker.net/shellshock_test.sh | bash
test.

Please uninstall older versions if you installed it.

A note regarding which version of bash to install.
As mentioned before all bash versions will mostly work. However, newer is not necessarily better Smile . bash-3.x and bash-4.x have some incompatibilities. If your puppy is build with 3.x bash and you install 4.x, will mostly work but some scripts may fail or misbehave.
So check your installed bash version (just type: "bash --version" in terminal) and install the relevant one

_________________
== Here is how to solve your Linux problems fast ==

Last edited by mavrothal on Thu 02 Oct 2014, 02:03; edited 4 times in total
Back to top
View user's profile Send private message 
dejan555


Joined: 30 Nov 2008
Posts: 2807
Location: Montenegro

PostPosted: Sat 27 Sep 2014, 01:44    Post subject:  

EDIT: See this post for latest version(s)
_________________
puppy.b0x.me stuff mirrored HERE or HERE

Last edited by dejan555 on Wed 01 Oct 2014, 16:10; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website MSN Messenger 
starhawk

Joined: 22 Nov 2010
Posts: 5056
Location: Everybody knows this is nowhere...

PostPosted: Sat 27 Sep 2014, 02:23    Post subject:  

Installed bash 4.2.x *.txz for Slackware. NOT A FIX FOR X-SLACKO 2.1 -- it will break your savefile.

I've asked my local guru, user jbruchon (who has posted very little here), to come up with a working version for me. We'll see...

_________________

Back to top
View user's profile Send private message 
dejan555


Joined: 30 Nov 2008
Posts: 2807
Location: Montenegro

PostPosted: Sat 27 Sep 2014, 04:08    Post subject: Re: is DASH one answer to this vulnerability?  

gcmartin wrote:
On a comment from a forum member, DASH may not have this vulnerability. Wondering about its compatibility.
  • Can DASH replace BASH by removing BASH and setting a link to DASH along with PATH changes?
  • Is that reasonable or inviting problems?
One other note:
This problem may also exist in embedded systems which use BASH....like your routers, etc. It could explain how some system/networks were breached assuming there are hackers who knew of this area of exposure.



They're certainly not 100% compatible and some scripts that use bash specific features instead external cli apps will have errors, also:

Quote:
Lindh’s NAS ran Bash alternative Dash by default and a tweet from security researcher Dragos Ruiu appeared to back up Lindh’s early research. If derivatives of Bash are also vulnerable to Shellshock, this would widen the number of potential targets massively.

“We should probably not make big a fuss about that just yet, but if it turns out that some old Dash shells are also vulnerable, then consumer appliances will definitely be at risk,” Lindh added.


http://www.theguardian.com/technology/2014/sep/26/bash-bug-shellshock-richard-stallman

EDIT: Same author they linked to says dash not vulnerable: https://twitter.com/dragosr/status/515571912634687488

The whole thing does seem exagerated by the media, in order to get to bash command line attackers would need to bypass some other security protocols.

_________________
puppy.b0x.me stuff mirrored HERE or HERE
Back to top
View user's profile Send private message Visit poster's website MSN Messenger 
OscarTalks


Joined: 05 Feb 2012
Posts: 1986
Location: London, England

PostPosted: Sat 27 Sep 2014, 04:47    Post subject:  

cimarron wrote:
NOTE: When I installed either the first or second fix, using ubuntu precise packages for my precise 5.7.1 pup, it seems to have broken Frisbee somewhat.

I was testing Slacko 5.7 with the first slackware patch applied yesterday and did notice that Frisbee seemed dead as a dodo. Other network tools were still OK.

_________________
Oscar in England

Back to top
View user's profile Send private message 
SFR


Joined: 26 Oct 2011
Posts: 1726

PostPosted: Sat 27 Sep 2014, 05:18    Post subject:  

SFR wrote:
@Mick: Dunno why, but Slackware's bash packages render HOME/END keys unusable in terminal (urxvt, LXTerminal, VTE).
The same happened with bash compiled by myself.
A workaround is to append this to /etc/inputrc:
Code:
"\e[1~": beginning-of-line      # Home Key
"\e[4~": end-of-line            # End Key

Greetings!

Another, even more annoying, issue with Slackware's bash binary: when I am typing a long line, that exceeds the right margin, it no longer wraps to the next line, but instead some maddening, horizontal scroll mode turns on.
It's impossible to highlight & copy such over-extended line!

Ok, it took me some time and nerves, but long story short: after I compiled bash with '--with-curses' (also literally) both issues are gone.
All patches applied, pkg for Slacko 32bit: bash-4.1.17.pet.
MD5: 65d5f2f8c8447a1e87936e3976d5e947 bash-4.1.17.pet

EDIT: updated to the latest (#14) patch.
EDIT2: updated to the latest (#17) patch.

Greetings!

_________________
[O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource
Omnia mea mecum porto.

Last edited by SFR on Tue 25 Nov 2014, 16:18; edited 2 times in total
Back to top
View user's profile Send private message 
keniv

Joined: 06 Oct 2009
Posts: 550
Location: Scotland

PostPosted: Sat 27 Sep 2014, 07:54    Post subject:  

dejan555 wrote

Quote:
New version for dpup487, should work with same pups that the previous one was reported to work...


I tested on test savefile again (after removing first fix). Now on normal savefile which seems OK. So again working in Sulu 002 (updated version of Lucid 528).

Thanks again,

Ken.
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1746

PostPosted: Sat 27 Sep 2014, 09:00    Post subject:  

Applied dejan555 second version to stemsee's Puppy Precise 5.7.1 and ran cimarron's test script in console. So far, so good.

We need more testers, and we have a problem explaining the requirements to people who do not regularly compile code, and are not aware of the genealogy of the Puppy they are running. It took a while for me to decide that a 32-bit .deb package would work, and finding correct binaries on Ubuntu sites is currently challenging. When I started I was not sure if I was running a 32-bit PAE kernel or 64-bit kernel. For those with less experience this would be a serious obstacle.

We also need better explanations of the ancestry of the many Pupplets out there. Not everyone keeps up with code names used by Ubuntu, Debian or Puppy.

At first I thought the fix had failed, because I also got the syntax warning in cimarron's post. Then I realized the syntax error was necessary to run the test. The important thing was that no output file was created as a result. Before testing becomes more widespread we need to explain such details so that ordinary users don't have to puzzle this out on their own.

Any feature of open source code which can sit there for a couple of decades without anyone noticing has to be pretty obscure. This fits that description.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 4 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, 4, 5, 6, ..., 11, 12, 13 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1813s ][ Queries: 12 (0.0787s) ][ GZIP on ]