In today’s NY Times…
Typical US based article “But look at closed source, it is more secure and open source is only maintained by people on their free time blah blah”.
Wonder who sponsored this “article”.
The only thing I get from this link is a login page.
When you have an Application problem (that is this forums section about) with Bash (your title), please explain in a way that we can understand without having to provide unknown username/password combinations.
Yes the title is very vague. As for the article itself I don’t know why it doesn’t display for you, so here it is pasted.
By NICOLE PERLROTHSEPT. 25, 2014
Long before the commercial success of the Internet, Brian J. Fox invented one of its most widely used tools.
In 1987, Mr. Fox, then a young programmer, wrote Bash, short for Bourne-Again Shell, a free piece of software that is now built into more than 70 percent of the machines that connect to the Internet. That includes servers, computers, routers, some mobile phones and even everyday items like refrigerators and cameras.
On Thursday, security experts warned that Bash contained a particularly alarming software bug that could be used to take control of hundreds of millions of machines around the world, potentially including Macintosh computers and smartphones that use the Android operating system.
The bug, named “Shellshock,” drew comparisons to the Heartbleed bug that was discovered in a crucial piece of software last spring.
But Shellshock could be a bigger threat. While Heartbleed could be used to do things like steal passwords from a server, Shellshock can be used to take over the entire machine. And Heartbleed went unnoticed for two years and affected an estimated 500,000 machines, but Shellshock was not discovered for 22 years.
That a flawed piece of code could go unnoticed for more than two decades could be surprising to many. But not to programmers.
Many of the commercial tools that individual users and large corporations depend upon are built on top of programs that are written and maintained by a few unpaid volunteers in what is called the open-source community. That community, along with big companies like Google, adjusts and builds new things on top of older work. The Macintosh operating system, for example, is routinely updated, but it is built on top of older programs like Unix.
Sometimes there are flaws in that code. And over the years, the flaw becomes part of all sorts of products.
Mr. Fox maintained Bash — which serves as a sort of software interpreter for different commands from a user — for five years before handing over the reins to Chet Ramey, a 49-year-old programmer who, for the last 22 years, has maintained the software as an unpaid hobby. That is, when he is not working at his day job as a senior technology architect at Case Western Reserve University in Ohio.
Mr. Ramey said in an interview on Thursday that he believed he inadvertently introduced Shellshock in a new Bash feature in 1992, though he could not be sure because back then he was not keeping comprehensive logs. Through the years, he maintained Bash by himself and occasionally bug reports would arrive in his email inbox.
On Sept. 12, he was contacted by Stephane Chazelas, another open-source enthusiast, about a potentially dangerous bug.
Mr. Chazelas discovered the flaw after finding a similar issue in another system a few months back. He tested the bug — which he called “Bashdoor”— against his own servers and looked for ways to detect and fix it.
Working with Mr. Ramey and people who work on open-source security, Mr. Chazelas had a patch within hours. Then they contacted major software makers while trying to avoid tipping off hackers.
An official alert from the National Institute of Standards and Technology warned that the vulnerability was a 10 out of 10, in terms of its severity, impact and exploitability, but low in terms of its complexity, meaning that it could be easily used by hackers.
Security researchers say that as soon as the bug was reported they detected widespread Internet scanning by so-called white hat hackers — most likely security researchers — as well as people thought to be cybercriminals. The worry is that it is only a matter of time before somebody writes a program that will use Shellshock to take them over.
Researchers noted that it would be much easier for this to happen with Internet-connected servers than with a personal Macintosh laptop, because individuals would have to connect their laptops to a public network that hackers knew they were connected to in order to exploit the vulnerability.
Apple did not return a request seeking comment.
The Department of Homeland Security’s Computer Emergency Readiness Team, US-CERT, advised users and technology administrators to refer to their Linux or Unix-based operating systems suppliers for an appropriate patch. For users at home, security experts advised them to stay abreast of software updates and check manufacturer websites, particularly for hardware like routers.
Even as some question the open-source community, its biggest advocates say the bug’s discovery — even after 22 years — at least proves that programmers never stop trying to get things right.
In an interview Thursday, Mr. Fox, the Bash inventor, joked that his first reaction to the Shellshock discovery was, “Aha, my plan worked.”
After the Heartbleed bug was discovered last spring, the nonprofit Linux Foundation worked with major technology companies like Amazon, Apple and Google on the Core Infrastructure Initiative, an effort to identify and fund core pieces of open-source infrastructure. Contacted Thursday, Jim Zemlin, the executive director of the Linux Foundation, said the initiative was contacting Mr. Ramey to see how it could help.
“I don’t think this is an open-source problem,” Mr. Zemlin said. “Software is eating the world. The bad news is software is hard and complex.”
The mantra of open source was perhaps best articulated by Eric S. Raymond, one of the elders of the open-source movement, who wrote in 1997 that “given enough eyeballs, all bugs are shallow.” But, in this case, Steven M. Bellovin, a computer science professor at Columbia University, said, those eyeballs are more consumed with new features than quality. “Quality takes work, design, review and testing and those are not nearly as much fun as coding,” Mr. Bellovin said. “If the open-source community does not develop those skills, it’s going to fall further behind in the quality race.”
As the technical side of this is subject of more then one thread here (is there a patch, yes, just YOU or zypper patch and you get it, is that patch complete, question at the moment), this article is imho something to discuss at General Chitchat (for those who love to do that).
Any comment about moving it?
No objection to moving it.
Will be moved to General Chitchat and is CLOSED for the moment.
Moved from Applications and open again.
The last few days, when I check my mailbox there is a message advertising the New York Times (digital subscription). I JHD (Just Hit Delete). It is this sort of article that dissuades me from considering a subscription. I think I do better with a variety of news sources.
If one never uses bash, is it ever an issue?
Of course not. But the problem is you never know you do not use it. Maybe this is about the semantics about who is “you”. A system doees not know “you”. It has users, derfined in /etc/passwd. One root and a multitude of “normal” users. And the system is full of bash scripts, that are executed by those users at boot, during the running and at shutdown. And even if one of the users (you?) never starts a bash script on purpose from a terminal window, that does not mean that e.g. inside your desktop no bash scripts are used.
But, as mentioned here or in one of the other threads, as long as you do not offer access (e.g. a web server) to the outside world, nobody will harm your system.
On 2014-09-26 19:56, BSDuser wrote:
>
> If one never uses bash, is it ever an issue?
YES
…unless you actually remove bash from your system, but that would
probably make your system fail, as many scripts rely on it.
The problem, regarding an outside attack, is that services you offer
outside, like ssh, dhcp, may use bash internally as part of the service,
and then you be attacked that way.
http://en.wikipedia.org/wiki/Shellshock_(software_bug)
+++··················
CVE-2014-6271 vulnerability details
Bash supports exporting Bash function definitions inside environment
variables. For example, the following defines a “hello world” function
inside environment variable named, “HELLO_WORLD_VAR”
HELLO_WORLD_VAR='() {echo "Hello World";};'
Note that the function is defined only, not executed, when Bash starts.
The bug is that Bash did not stop parsing at the end of the function,
but instead, continued interpreting. So if an attacker could set the
value of the environment variable to, for example,
HELLO_WORLD_VAR='() {echo "Hello World";}; rm /path/to/file'
Then Bash first would define, but not execute, the function (only
defining it is harmless), but immediately, execute the malicious command
“rm /path/to/file”, effectively giving shell access to the attacker.
The attacker would still have to get his code inserted into an
environment variable, but many Internet-facing daemons will insert
user-supplied code into an environment variable, since it normally would
be considered harmless.
Web server example
When sending a request for a document from a web server, for example
http://www.example.com/, the user always sends along a text string
called the user agent, indicating the name of the user’s current
browser. This user agent text string typically is then put into the
environment variable HTTP_USER_AGENT by the web server, and will be seen
by the web server process and all its child processes. Since the
contents of the user agent string is arbitrary, it can be set to, for
example, “() {echo “Hello World”;}; rm /path/to/file”, which due to the
Bash bug will run the command “rm /path/to/file” if parsed by a Bash
shell. If the web server, or a child of the web server, runs a Bash
shell while servicing the request, the command will be run. Note that
not all web servers will run Bash scripts while servicing requests.
··················+±
The article then gives examples for ssh and dhcp. There may be more.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)