Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Bash Vulnerability
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
geeksheik
Tux's lil' helper
Tux's lil' helper


Joined: 07 Sep 2003
Posts: 95
Location: Zürich, Switzerland

PostPosted: Sat Oct 04, 2014 2:34 pm    Post subject: Reply with quote

The corrupted ebuild was fixed the same day.

A big thanks to the maintainers (both Gentoo & upstream); I'm sure it's not an easy time at the moment.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7134
Location: almost Mile High in the USA

PostPosted: Mon Oct 06, 2014 8:45 pm    Post subject: Reply with quote

Arrgh... It's the broken again shell!
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1696

PostPosted: Mon Oct 06, 2014 9:58 pm    Post subject: Reply with quote

At least the one good thing about these vulnerabilities in bash; is that it's getting a lot closer review; finding all these other issues that should have been fixed a long time ago. Hopefuly someone is also taking a look on zsh, dash, etc for similar issues.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7134
Location: almost Mile High in the USA

PostPosted: Tue Oct 07, 2014 12:03 am    Post subject: Reply with quote

It almost looks like a house of cards there... It looks like a whole bunch of bugs that were discovered related to environment function passing (which can be a good thing) one after another...

Is function passing a feature specific to bash? I'd imagine this shouldn't be a unique feature. There have been tons of restrictions of what can and can't be passed (variables, exported variables, etc.), and having them pass can make scripts run considerably faster...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1696

PostPosted: Tue Oct 07, 2014 1:16 pm    Post subject: Reply with quote

my thoughts on function passing, is more of the data being used in one environment shouldn't be idlely used outside of it's environment. So any data used in one function shouldn't be accessible outside of that function, unless it was explicitly passed onto another function. Now a function jumping to another, sound more like a uncontrolled operation than anything else (like how do you know every time, it will always jump to that function, and not some rogue one that was injected into the tree above it).

*Note* I wouldn't consider myself as a programmer, more of a hobbyist; as I'm not too skilled on programming yet.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13865

PostPosted: Wed Oct 08, 2014 1:51 am    Post subject: Reply with quote

Function inheritance may not be unique to bash, but there is no standard on how to do it, so any other shells that do it likely do it differently from bash, especially now that bash has several different ways of doing it, depending on which patch level you run.

I believe I saw a comment on one of the mailing lists that the reason this was so broken is that the bash parser was never considered a security boundary until Shellshock hit. The assumption was always that by the time the user could feed it bad input, the shell was running and ready to do as you asked, so the only thing you could achieve by feeding it bad input was to crash the shell. Shellshock was a problem because the parser consumed user input while running with fewer restrictions than the user would have when the shell finished initializing and began accepting interactive input.
Back to top
View user's profile Send private message
ChrisJumper
Advocate
Advocate


Joined: 12 Mar 2005
Posts: 2225
Location: Germany

PostPosted: Thu Oct 09, 2014 3:37 pm    Post subject: Reply with quote

At the next Time index tick, your Bash should have Version: 4.2_p53.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7134
Location: almost Mile High in the USA

PostPosted: Thu Oct 09, 2014 3:42 pm    Post subject: Reply with quote

The http attacks have dropped down a lot... I got one yesterday and it's sort of disguised as beneficial fix but how could they fix it? You can't fix bash without root...

And as expected... it's yet another command and remote control irc bot.

Oh well.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
patrix_neo
Guru
Guru


Joined: 08 Jan 2004
Posts: 518
Location: The Maldives

PostPosted: Thu Oct 09, 2014 5:04 pm    Post subject: Reply with quote

The last two weeks I have been rebooting my system (just-in-case) more times than I usually do in the span of months consuming a big part of a year.
I feel that necessary reboots has become a more frequent behavior for us linux folks.

But, as I have made it to believe, this bash problem was a security issue meant to happen. Has been overlooked, that is.
Anyway..
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1696

PostPosted: Fri Oct 10, 2014 9:24 pm    Post subject: Reply with quote

just wondering, why are you needing to reboot so frequently? I've been leaving my computer on all the time, and I only reboot when I switch OS (lately, been often for class), otherwise I haven't ever really needed to reboot. You can't say because of all these security issues; as there's always some new security issue for some software nearly daily. That part is a matter of life for any OS, (Windows, you just don't get told, and doesn't get fixed till several months later on). Just like, there some new version of software out. Bash by it's self, is the easiest thing in reguards to updating to the new version installed; most you need to do is reload the terminal window/log out and log back in, and it's using latest bash (that is installed).

The point I am getting at; is, there's no point worrying about some security issue. There will always be some new one; the most you can do is update your software, monitor your system(s) and continue with your life (it's not going to end, about something so minor). The developers here (including for most of the Linux environment) will adress the security issues as fast as they can and you should have access to a patch relatively fast.
Back to top
View user's profile Send private message
patrix_neo
Guru
Guru


Joined: 08 Jan 2004
Posts: 518
Location: The Maldives

PostPosted: Tue Oct 21, 2014 3:58 pm    Post subject: Reply with quote

ct85711 wrote:
just wondering, why are you needing to reboot so frequently?

I can only speak for myself, but I have understood that processes, like underlying services as login, boot up processes are depending on bash/sh.
And there has been 3 new bash security updates.

So, in function of time consuming, a reboot is quite ok, secure in terms of avoiding wtf-did-I-forgot-that?, and maby lazy.

And then there are other occasions I do reboots. Among others are

kernel-upgrades
glibc
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6741
Location: Blighty

PostPosted: Tue Oct 21, 2014 11:03 pm    Post subject: Reply with quote

patrix_neo wrote:
I can only speak for myself, but I have understood that processes, like underlying services as login, boot up processes are depending on bash/sh.


They use bash, but do not persist it, they reload it on demand.
So no, rebooting to upgrade bash is not needed.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
patrix_neo
Guru
Guru


Joined: 08 Jan 2004
Posts: 518
Location: The Maldives

PostPosted: Wed Oct 22, 2014 1:58 am    Post subject: Reply with quote

UberLord wrote:
patrix_neo wrote:
I can only speak for myself, but I have understood that processes, like underlying services as login, boot up processes are depending on bash/sh.


They use bash, but do not persist it, they reload it on demand.
So no, rebooting to upgrade bash is not needed.


Thank you for the input. Not so much a chocking news for me either. Me rebooting often, I now understand is more of a me-problem.
But to clarify for my tiny brain, when you say reload on demand, does than involve a manual reload?
I knew back when I did an init 1 and then an init 3 to restart everything but, I think, the kernel and the glibc.
I don't know if that's still true with the OpenRC of today.
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6741
Location: Blighty

PostPosted: Wed Oct 22, 2014 2:57 am    Post subject: Reply with quote

patrix_neo wrote:
[But to clarify for my tiny brain, when you say reload on demand, does than involve a manual reload?


No.
Init will do this for example

/etc/init.d/foo
-> /sbin/runscript
-> /bin/sh
-> /bin/bash
-> foo

foo them forks as a daemon or something, everything else unloads

If a daemon internals calls out to sh or bash it will be like running a program which 99% of the time will close again promptly.

So nothing manual in reloading is required.

Quote:

I knew back when I did an init 1 and then an init 3 to restart everything but, I think, the kernel and the glibc.
I don't know if that's still true with the OpenRC of today.


Should still work on Gentoo/Linux.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7134
Location: almost Mile High in the USA

PostPosted: Wed Oct 22, 2014 7:56 pm    Post subject: Reply with quote

I just saw a few people sending shellshocks to me via http after about 2 weeks of silence.
Not quite forgotten just yet...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum