SEARCH

Enter your search query in the box above ^, or use the forum search tool.

You are not logged in.

#1 2014-09-24 16:35:55

twoion
Moderator
Registered: 2012-05-11
Posts: 1,648

[CVE-2014-6271] Update the Bash package ASAP

security-tracker.debian.org

ATM only wheezy is fixed, jessie & sid are still vulnerable.

[Context]


Tannhäuser ~ {www,pkg,ddl}.bunsenlabs.org/{gitlog,repoidx}

Offline

Be excellent to each other!

#2 2014-09-24 22:44:30

chillicampari
Pinball Wizard
Registered: 2009-10-09
Posts: 2,728

Re: [CVE-2014-6271] Update the Bash package ASAP

(stickied)

Offline

#3 2014-09-25 11:15:32

plebian
Member
Registered: 2014-08-28
Posts: 18

Re: [CVE-2014-6271] Update the Bash package ASAP

Waiting for a jessie fix, it's times like these I'm glad I run my servers on Ubuntu server

Offline

#4 2014-09-25 11:22:02

twoion
Moderator
Registered: 2012-05-11
Posts: 1,648

Re: [CVE-2014-6271] Update the Bash package ASAP

Turns out that the first patch to Bash was incomplete, Bash is still vulnerable in some way or another: CVE-2014-6271 on OSS SEC.

A full patch already exists and is available in Ubuntu (since it was written by an Ubuntu Security Engineer). [Source]

Last edited by twoion (2014-09-25 11:23:04)


Tannhäuser ~ {www,pkg,ddl}.bunsenlabs.org/{gitlog,repoidx}

Offline

#5 2014-09-25 12:09:00

twoion
Moderator
Registered: 2012-05-11
Posts: 1,648

Re: [CVE-2014-6271] Update the Bash package ASAP

BTW here is a patch which completely removes the functionality for exporting shell functions from Bash big_smile Just to make sure. @Pastebin, for bash-4.3.24. Credit.


Tannhäuser ~ {www,pkg,ddl}.bunsenlabs.org/{gitlog,repoidx}

Offline

#6 2014-09-25 20:43:55

Head_on_a_Stick
CatMod
From: A world of pure imagination
Registered: 2014-01-21
Posts: 4,797

Re: [CVE-2014-6271] Update the Bash package ASAP

Test your vulnerability with:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

My Debian Sid says:

empty@Debian ~ % env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Safe!
big_smile

EDIT: Sorry, it's not fully fixed yet... (didn't read the whole thread) :8
Soon, though.

Last edited by Head_on_a_Stick (2014-09-25 20:48:33)

Offline

#7 2014-09-25 21:31:18

CSCoder4ever
BL Keyboard Troll
From: /dev/zero
Registered: 2013-09-03
Posts: 2,256

Re: [CVE-2014-6271] Update the Bash package ASAP

Laptop is fine, I updated the desktop this morning but haven't tried running the command yet.

Still will need to update my Slackstation, Raspberry Pi, server, and other server.

Offline

#8 2014-09-26 01:21:57

Sector11
#!'er to BL'er
From: SR11 Cockpit
Registered: 2010-05-05
Posts: 15,667
Website

Re: [CVE-2014-6271] Update the Bash package ASAP

So what the heck I'm game:

 25 Sep 14 | 13:41:57 ~
    $ apt-listbugs list bash
Retrieving bug reports... Done
Parsing Found/Fixed information... Done
grave bugs of bash (-> ) <unfixed>
 #762760 - bash: still vulnerable to environment exploits
   Merged with: 762761
Summary:
 bash(1 bug)
 
 25 Sep 14 | 13:42:18 ~
    $ cpol bash
bash:
  Installed: 4.2+dfsg-0.1+deb7u1
  Candidate: 4.2+dfsg-0.1+deb7u1
  Version table:
 *** 4.2+dfsg-0.1+deb7u1 0
        500 http://security.debian.org/ wheezy/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     4.2+dfsg-0.1 0
        500 ftp://ftp.debian.org/debian/ wheezy/main amd64 Packages
 
 25 Sep 14 | 13:42:21 ~
    $ 

If I CRUNCH BANG CRASH & BURN it's only a reinstall anyway.  big_smile


·  ↓   ↓   ↓   ↓   ↓   ↓  ·
BunsenLabs Forums now Open for Registration
·  ↑   ↑   ↑   ↑   ↑   ↑  · BL ModSquad

Offline

#9 2014-09-26 10:18:50

pvsage
Internal Affairs
From: North Carolina
Registered: 2009-10-18
Posts: 13,970

Re: [CVE-2014-6271] Update the Bash package ASAP

There was a new newly-patched version last night (+deb7u3)...

~$ apt-listbugs list bash
Retrieving bug reports... Done
Parsing Found/Fixed information... Done
grave bugs of bash (-> ) <marked as done in some version>
 #762760 - bash: CVE-2014-7169: Incomplete fix for CVE-2014-6271 (Fixed: bash/4.
2+dfsg-0.1+deb7u3 bash/4.1-3+deb6u2 bash/4.3-9.2)
   Merged with: 762761
Summary:
 bash(1 bug)
~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

Fixed?

Offline

#10 2014-09-26 14:00:58

BruceJohnJennerLawso
#! Member
Registered: 2014-02-23
Posts: 50

Re: [CVE-2014-6271] Update the Bash package ASAP

Updated bash just now, looks to be fixed on my end, although it looks slightly different here:

bruce@bruce:~$ x='() { :;}; echo "VULNERABLE"' bash -c "echo this is a test"
this is a test
bruce@bruce:~$ 

not getting the feedback on ignoring the attempt before bash echoes "this is a test", but the hole appears to be plugged as best as I can tell.

To think this was hiding in bash for years  yikes


The computer is mightier than the pen, the sword, and usually the programmer.

My Projects on Github

Offline

#11 2014-09-26 14:20:03

Sector11
#!'er to BL'er
From: SR11 Cockpit
Registered: 2010-05-05
Posts: 15,667
Website

Re: [CVE-2014-6271] Update the Bash package ASAP

BruceJohnJennerLawso wrote:

To think this was hiding in bash for years  :o

And it's not a diamond in the rough either

Neither am I with that test or the way I found it with "env" at the beginning ... it's a good thing:

 26 Sep 14 | 11:13:54 ~
    $ x='() { :;}; echo "VULNERABLE"' bash -c "echo this is a test"
this is a test
 
 26 Sep 14 | 11:13:56 ~
    $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
 
 26 Sep 14 | 11:13:59 ~
    $ 

·  ↓   ↓   ↓   ↓   ↓   ↓  ·
BunsenLabs Forums now Open for Registration
·  ↑   ↑   ↑   ↑   ↑   ↑  · BL ModSquad

Offline

#12 2014-09-26 15:53:25

YoYoLives
New Member
Registered: 2014-09-26
Posts: 8

Re: [CVE-2014-6271] Update the Bash package ASAP

Hi everyone,

I've been lurking around the forum for a bit and thought I'd finally register as the following page on the Bash vulnerability may be of interest to some people.

http://www.troyhunt.com/2014/09/everyth … about.html

When I read it on the train it was still a bit unclear as to whether the patch works or not, but it seems that developments are moving fast (except from Apple, who I imagine are busy fixing iOS8 and bendy phones) so this may of changed.

Last edited by YoYoLives (2014-09-26 15:53:58)

Offline

#13 2014-09-26 20:36:30

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

Yep, this vulnerability is scary. Almost as scary as how the media completely botched pretty much everything about it!   hmm


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

#14 2014-09-26 20:54:15

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

Also, how does one see what version of bash they're currently running?


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

#15 2014-09-26 20:57:22

Head_on_a_Stick
CatMod
From: A world of pure imagination
Registered: 2014-01-21
Posts: 4,797

Re: [CVE-2014-6271] Update the Bash package ASAP

@#!_828:

apt-cache show bash

Just keep checking for updates, there was a second vulnerability found after I posted the "vulnerability check"...
hmm

Offline

#16 2014-09-26 21:02:01

Unia
#! Octo-portal-pussy
From: The Netherlands
Registered: 2010-07-17
Posts: 4,634
Website

Re: [CVE-2014-6271] Update the Bash package ASAP

The patch for that is already out I believe.. unless you aren't talking about the first patch not patching everything completely.

Also:

+┌─jente @ ~ 23:00:09 
 └─╼ bash --version
bash --version
GNU bash, version 4.3.26(1)-release (x86_64-unknown-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

If you can't sit by a cozy fire with your code in hand enjoying its simplicity and clarity, it needs more work. --Carlos Torres

I am a #! forum moderator. Feel free to send me a PM with any question you have!

Offline

#17 2014-09-26 21:09:57

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

Head_on_a_Stick wrote:

@#!_828:

apt-cache show bash

Thanks.
Also, I found

bash --version

My old bash (before update) was v4.2.1-something. The fixed version should appear as 4.2.37(1)
So that takes care of that, crisis averted (for now)  cool


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

#18 2014-09-26 21:43:41

CSCoder4ever
BL Keyboard Troll
From: /dev/zero
Registered: 2013-09-03
Posts: 2,256

Re: [CVE-2014-6271] Update the Bash package ASAP

Could give zsh a try #!_828 8o

#!_828 wrote:

Yep, this vulnerability is scary. Almost as scary as how the media completely botched pretty much everything about it!   hmm

looooooooooooooooooooooooooooooooooooooool.

That's funny.

Offline

#19 2014-09-26 22:14:56

Sector11
#!'er to BL'er
From: SR11 Cockpit
Registered: 2010-05-05
Posts: 15,667
Website

Re: [CVE-2014-6271] Update the Bash package ASAP

#!_828 wrote:

Yep, this vulnerability is scary. Almost as scary as how the media completely botched pretty much everything about it!   hmm

Hilarious!!

So is it:

  • the bug known as Bash, or

  • the BashBug

No wonder I'm shellshocked here ... no wrong that would be: shell shocked!  lol  lol  lol

Did I really hear "line-ux" - - - -  I did - I did!


·  ↓   ↓   ↓   ↓   ↓   ↓  ·
BunsenLabs Forums now Open for Registration
·  ↑   ↑   ↑   ↑   ↑   ↑  · BL ModSquad

Offline

#20 2014-09-26 23:11:50

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

My favorite was in the beginning, "Another computer bug out there that could eat your software, the new bug is called 'Brash' [sic], it's called the 'Bash-bug,' the bug known as 'Bash'. Also at 00:24, "It is called the 'Bash-bug' and it lets someone hack every device in your house . . ."  lol  lol  lol


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

#21 2014-09-26 23:14:40

Head_on_a_Stick
CatMod
From: A world of pure imagination
Registered: 2014-01-21
Posts: 4,797

Re: [CVE-2014-6271] Update the Bash package ASAP

Have I ever mentioned how good zsh is?
]:D

EDIT: symlinked /bin/sh to dash in Arch, just in case (Debian already does this)...

Last edited by Head_on_a_Stick (2014-09-26 23:18:53)

Offline

#22 2014-09-26 23:17:52

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

Head_on_a_Stick wrote:

Have I ever mentioned how good zsh is?

Well, I use zsh on my (infrequently used) Arch system, but beyond that, I think I'll be sticking with 'the bug known as Bash' at least for the foreseeable future  wink

Last edited by #!_828 (2014-09-26 23:18:08)


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

#23 2014-09-26 23:18:16

CSCoder4ever
BL Keyboard Troll
From: /dev/zero
Registered: 2013-09-03
Posts: 2,256

Re: [CVE-2014-6271] Update the Bash package ASAP

Well I'm convinced at least  big_smile

Offline

#24 2014-09-26 23:25:12

Head_on_a_Stick
CatMod
From: A world of pure imagination
Registered: 2014-01-21
Posts: 4,797

Re: [CVE-2014-6271] Update the Bash package ASAP

Oh dear:

empty@Arch ~ % cd /tmp && rm -f /tmp/echo && env 'x=() { :;}; echo vulnerable' 'f=() { (a)=>\' bash -c 'echo echo vulnerable'; cat echo
echo vulnerable
cat: echo: No such file or directory

https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c47
sad
Anyone try this on Debian?

These relate to CVE-2014-7169, CVE-2014-7186 & CVE-2014-7187

EDIT: According @lolilolicon (Arch bash ninja), the above output actually means my system is resistant to all 4 (currently) known exploits...

lolilolicon wrote:

A vulnerable bash should have created a file ./echo with "vulnerable" in it.

smile

Last edited by Head_on_a_Stick (2014-09-26 23:57:34)

Offline

Help fund CrunchBang, donate to the project!

#25 2014-09-26 23:37:11

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

So we're not out of the woods yet  neutral  Oh well, I guess we'll just have to sinch up our tinfoil hats & wait it out until a final patch comes out  wink


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

Board footer

Powered by FluxBB

Copyright © 2012 CrunchBang Linux.
Proudly powered by Debian. Hosted by Linode.
Debian is a registered trademark of Software in the Public Interest, Inc.
Server: acrobat

Debian Logo