Bash Bug

Cyber experts warn of ‘Bash’ bug. Should we be concern about this?

Thanks in advance!

https://forums.opensuse.org/showthread.php/501161-Vulnerability-in-bash

Patch for it was released, just update your system and you’ll be fine.

Recent news says the patch is flawed. It does help but is not a complete fix. Look for another patch soon. I’d not worry to much unless you have a Web facing server in any case.

I would not say “flawed” but rather “incomplete” ;).

Actually it seems the bash fix they released for openSUSE is not “incomplete”.

As per this RedHat article; https://access.redhat.com/articles/1200223

If you do a;
env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”

And you get an error “bash: error importing function definition for `x’” your system is not vulnerable. On my patched 13.1’s the end result is;


mariposa:~ # env x='() { :;}; echo vulnerable' bash -c "echo this is a test"bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Try this.

env -i  X='() { (a)=>\' bash -c 'echo date'
jetchisel@Localhost:/tmp/test> env -i  X='() { (a)=>\' bash -c 'echo date'
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'

checkout the result with ls

ls *
echo

I creates a file echo

Now check what is inside echo

cat echo
Fri Sep 26 15:57:23 ...

replace echo with something else then you will see ;).

env -i  X='() { (a)=>\' bash -c 'echo ping localhost'

You will get an error but still it executes ping (which it should not ) saves the result in echo.

Some Debian user pointed out to me that they had a patch for this already.

You’re more than right, bloody hell - oh well, off to grab the Debian patch and compile my own bash for a temporary fix :stuck_out_tongue:

Right, I compiled a bash that includes these two; http://seclists.org/oss-sec/2014/q3/att-712/variables-affix-4_2.patch && http://seclists.org/oss-sec/2014/q3/att-712/parser-oob-4_2.patch and it fixes the issue - now it properly echoes the output.

The patches need to be modified a bit to work with the openSUSE bash with patches but I’m guessing they’ll release a new version soon.

This one is interesting.

http://lists.gnu.org/archive/html/bug-bash/2014-09/msg00176.html

http://lists.gnu.org/archive/html/bug-bash/2014-09/msg00176.html

On SUSE the default shell for wwwrun is already /bin/false though.

Right i forgot about that :),

For those who want a video lecture about this bug,

https://www.youtube.com/v/aKShnpOXqn0&autoplay=0

This might be the time when command will be banned from variables from now on lol!.

Bash update is available in Update.

Right after the update run

exec bash

then try that shellshock test, it should print only the string to stdout and not execute it.

jetchisel@Localhost:~> env -i  X='() { (a)=>\' bash -c 'echo date'
date


jetchisel@Localhost:~>ls


jetchisel@Localhost:~> env -i  X='() { (a)=>\' bash -c 'echo ping localhost'
ping localhost

jetchisel@Localhost:~>ls


We’re still waiting for a 12.1 patch right?

No openSUSE 12.1 is out of date

https://en.opensuse.org/Lifetime

Looks like the latest bash for 13.1 is; bash-4.2-68.8.1 and it fixes all the tests I’ve found so far.

Upate to a newer version of openSUSE or look for evergreen repos. The last resort is to compile it your self (which is not a good idea) with the applied patches, then replace your /bin/bash with the binary that you have compiled, just don’t delete the rpm version though.

On Fri 26 Sep 2014 10:56:01 PM CDT, jetchisel wrote:

rawheadon;2666639 Wrote:
> We’re still waiting for a 12.1 patch right?

Upate to a newer version of openSUSE or look for evergreen repos. The
last resort is to compile it your self (which is not a good idea) with
the applied patches, then replace your /bin/bash with the binary that
you have compiled, just don’t delete the rpm version though.

Hi
You can update to bash 4.3 if that way inclined, there are 12.1
versions available from the shell repo;

http://download.opensuse.org/repositories/shells/openSUSE_12.1/


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-21-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

On 2014-09-27 00:16, rawheadon wrote:
>
> We’re still waiting for a 12.1 patch right?

No way.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

On 2014-09-27 00:56, jetchisel wrote:
>
> rawheadon;2666639 Wrote:
>> We’re still waiting for a 12.1 patch right?
>
> Upate to a newer version of openSUSE or look for evergreen repos.

12.1 was never on Evergreen, and 11.4 maintenance has stopped just
today. There is no active Evergreen version now, they are in standby
till 13.1 is EOL by SUSE (expected on May 2015), then they take it over
till November 2016.

> The
> last resort is to compile it your self (which is not a good idea) with
> the applied patches, then replace your /bin/bash with the binary that
> you have compiled, just don’t delete the rpm version though.

Surely 12.1 has several other unpatched vulnerabilities.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)