CVE shellshock

There are patches for this in OX 13.1x64, but apparently one is still needed (see the thread)
http://krebsonsecurity.com/2014/09/shellshock-bug-spells-trouble-for-web-security/#more-28045

"Be aware that there are multiple problems. The main one was patched Wednesday in major distributions, but other problems were patched Thursday and this morning.

Presence of the additional problems can be tested with the following — yes, this is correct, even though the text looks mangled because of a missing } and other things;
http://pastebin.com/PpgwgEfR
If you see the current date and time printed (along with error messages), CVE-2014-7169 is still present. If you see only error messages, you’re safe."

patti@linux-l8th:~> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
patti@linux-l8th:~> env X='() { (a)=>\' sh -c "echo date"; cat echo; rm echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Fri Sep 26 13:35:44 PDT 2014
patti@linux-l8th:~> 

http://i.imgur.com/d50ir0W.jpg

:3

which repo did you got that shellshock rpm? lol!

… show-off! :wink:

Hahah I compiled it myself with .patches from Debian security :slight_smile:

After installing the latest updates for 13.1 a few hours ago:
http://susepaste.org/images/48906726.png

I thought this bug is about bash, why the sh -c ‘…’ :wink:


% ls -l `which sh`
lrwxrwxrwx 1 croot root 9 Jul 23 07:57 /usr/bin/sh -> /bin/bash

“sh” is just another name for “bash” on most linux systems.

Still

sh != bash  

That is the most common mistake. ie. if you write POSIX sh syntax then it will work with #!/bin/bash header (or where your bash resides)
but not the other way around ;).

If you invoke sh -c … then bash is in

--posixmode

assuming your shell is bash…

Granted. However, the two commands use the identical binary, so potentially have many of the same bugs.

Sigh.
I just did exactly the same as in the original post, to show that the bug should be fixed in the official packages as well already.
And as you can see in the original post, the vulnerability was there with sh as well, posix compatibility mode or not.

But ok, here again with bash:

Are you satisfied now?

A sidenote: for running sh -c “echo date”, it shouldn’t matter whether you use sh (bash in sh mode) or bash at all. There is absolutely no (possibly changed) shell syntax involved here.

Aah Wolfi, those fonts and lack of sub-pixel hinting. My eyes! :smiley:

Sooo… what does all this mean to mere mortals like me? :wink:

PattiMichelle rotfl!

That you should keep your system up to date with available patches.

Install all recent updates, and you should not need to worry, I’d say… :wink:

I’m not sure if all vulnerabilities are fixed by now, but the one you asked about definitely is.
If other patches are still necessary, they will be released as updates as well ASAP.

On Sat 27 Sep 2014 03:36:01 PM CDT, PattiMichelle wrote:

Sooo… what does all this mean to mere mortals like me? :wink:

PattiMichelle rotfl!

Hi
If you have an internet facing web server, use this check
https://shellshock.detectify.com/


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-21-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

is my os compromised?
the date function is being run!
would appreciate confirmation that’s ok

btw after last update, kde would not launch until
exec bash
cmd given from command line

cheers

with bash-4.2-245.1 from
URL: http://download.opensuse.org:80/repositories/Base:/System/openSUSE_Factory/

hp-g7-2248sg<2014Sep27><18:12><~> env X='() { (a)=>\' bash -c "echo date"; cat echo; rm echo
date
Sat Sep 27 11:28:54 CEST 2014

hp-g7-2248sg<2014Sep27><18:25><~> rpm -qi bash
Name        : bash
Version     : 4.2
Release     : 245.1
Architecture: x86_64
Install Date: Sat 27 Sep 2014 11:35:57 CEST
Group       : System/Shells
Size        : 720785
License     : GPL-3.0+
Signature   : RSA/SHA1, Fri 26 Sep 2014 15:01:51 CEST, Key ID 88eb5d66e2c0098c
Source RPM  : bash-4.2-245.1.src.rpm
Build Date  : Fri 26 Sep 2014 15:00:50 CEST
Build Host  : build10
Relocations : (not relocatable)
Vendor      : obs://build.opensuse.org/Base:System
URL         : http://www.gnu.org/software/bash/bash.html
Summary     : The GNU Bourne-Again Shell
Description :
Bash is an sh-compatible command interpreter that executes commands
read from standard input or from a file.  Bash incorporates useful
features from the Korn and C shells (ksh and csh).  Bash is intended to
be a conformant implementation of the IEEE Posix Shell and Tools
specification (IEEE Working Group 1003.2).
Distribution: Base:System / openSUSE_Factory
hp-g7-2248sg<2014Sep27><18:26><~>

with bash-4.3-13.1 from
URL: http://download.opensuse.org:80/repositories/shells/openSUSE_Factory/

hp-g7-2248sg<2014Sep27><18:38><~> env X='() { (a)=>\' bash -c "echo date"; cat echo; rm echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
Sat 27 Sep 18:38:39 CEST 2014
hp-g7-2248sg&lt;2014Sep27&gt;&lt;18:38&gt;&lt;~&gt; 

hp-g7-2248sg&lt;2014Sep27&gt;&lt;18:38&gt;&lt;~&gt; rpm -qi bash                                                                                                                                          
Name        : bash                                                                                                                                                                      
Version     : 4.3                                                                                                                                                                       
Release     : 13.1
Architecture: x86_64
Install Date: Sat 27 Sep 2014 18:35:32 CEST
Group       : System/Shells
Size        : 764301
License     : GPL-3.0+
Signature   : DSA/SHA1, Fri 26 Sep 2014 10:54:56 CEST, Key ID 85cfe451b91e1e8b
Source RPM  : bash-4.3-13.1.src.rpm
Build Date  : Fri 26 Sep 2014 10:54:22 CEST
Build Host  : build21
Relocations : (not relocatable)
Vendor      : obs://build.opensuse.org/shells
URL         : http://www.gnu.org/software/bash/bash.html
Summary     : The GNU Bourne-Again Shell
Description :
Bash is an sh-compatible command interpreter that executes commands
read from standard input or from a file.  Bash incorporates useful
features from the Korn and C shells (ksh and csh).  Bash is intended to
be a conformant implementation of the IEEE Posix Shell and Tools
specification (IEEE Working Group 1003.2).
Distribution: shells / openSUSE_Factory
hp-g7-2248sg&lt;2014Sep27&gt;&lt;18:40&gt;&lt;~&gt; 

How should anybody being able to answer that? :wink:

the date function is being run!
would appreciate confirmation that’s ok

No, it’s not ok. It should not get run, you should get an error message, like

btw after last update, kde would not launch until
exec bash
cmd given from command line

Hm?
What has KDE to do with bash?
You should have a bash already when you login to text mode, so no need to start another one I’d say.

But that’s more a topic for the Beta/Pre-Release forum.

with bash-4.2-245.1 from
URL: http://download.opensuse.org:80/repositories/Base:/System/openSUSE_Factory/

AFAICS, that version contains the exact same patches as the 13.1 update.
So you should get the same error messages as others in this thread have shown already.

Have you rebooted your system? You need to restart bash to run the fixed version. A running instance will still contain the vulnerability after you installed the update.

hi wolfi323

thanks for the response

the updates :-

< bash-4.2-74.2.x86_64                                    > bash-4.3-13.1.x86_64
< bash-completion-2.1-4.5.noarch                          > bash-completion-2.1-55.2.noarch
< bash-doc-4.2-74.2.noarch                                > bash-doc-4.3-13.1.noarch
<                                                         > bash-lang-4.3-13.1.noarch

both looked bad, the laptop only booted 1 in about 6 tries, with the latter bash,
so re-installed the prior bash

this output now looks to be fine

hp-g7-2248sg<2014Sep27><22:42><~> env X='() { (a)=>\' bash -c "echo date"; cat echo; rm echo
date
cat: echo: No such file or directory
rm: cannot remove ‘echo’: No such file or directory
hp-g7-2248sg<2014Sep27><22:43><~>

also no problems booting now

maybe this is a one off, sorry for the inconvenience

cheers