View previous topic :: View next topic |
Author |
Message |
geeksheik Tux's lil' helper
Joined: 07 Sep 2003 Posts: 99 Location: Zürich, Switzerland
|
Posted: Sat Oct 04, 2014 2:34 pm Post subject: |
|
|
The corrupted ebuild was fixed the same day.
A big thanks to the maintainers (both Gentoo & upstream); I'm sure it's not an easy time at the moment. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Mon Oct 06, 2014 8:45 pm Post subject: |
|
|
Arrgh... It's the broken again shell! _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
ct85711 Veteran
Joined: 27 Sep 2005 Posts: 1791
|
Posted: Mon Oct 06, 2014 9:58 pm Post subject: |
|
|
At least the one good thing about these vulnerabilities in bash; is that it's getting a lot closer review; finding all these other issues that should have been fixed a long time ago. Hopefuly someone is also taking a look on zsh, dash, etc for similar issues. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Tue Oct 07, 2014 12:03 am Post subject: |
|
|
It almost looks like a house of cards there... It looks like a whole bunch of bugs that were discovered related to environment function passing (which can be a good thing) one after another...
Is function passing a feature specific to bash? I'd imagine this shouldn't be a unique feature. There have been tons of restrictions of what can and can't be passed (variables, exported variables, etc.), and having them pass can make scripts run considerably faster... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
ct85711 Veteran
Joined: 27 Sep 2005 Posts: 1791
|
Posted: Tue Oct 07, 2014 1:16 pm Post subject: |
|
|
my thoughts on function passing, is more of the data being used in one environment shouldn't be idlely used outside of it's environment. So any data used in one function shouldn't be accessible outside of that function, unless it was explicitly passed onto another function. Now a function jumping to another, sound more like a uncontrolled operation than anything else (like how do you know every time, it will always jump to that function, and not some rogue one that was injected into the tree above it).
*Note* I wouldn't consider myself as a programmer, more of a hobbyist; as I'm not too skilled on programming yet. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Wed Oct 08, 2014 1:51 am Post subject: |
|
|
Function inheritance may not be unique to bash, but there is no standard on how to do it, so any other shells that do it likely do it differently from bash, especially now that bash has several different ways of doing it, depending on which patch level you run.
I believe I saw a comment on one of the mailing lists that the reason this was so broken is that the bash parser was never considered a security boundary until Shellshock hit. The assumption was always that by the time the user could feed it bad input, the shell was running and ready to do as you asked, so the only thing you could achieve by feeding it bad input was to crash the shell. Shellshock was a problem because the parser consumed user input while running with fewer restrictions than the user would have when the shell finished initializing and began accepting interactive input. |
|
Back to top |
|
|
ChrisJumper Advocate
Joined: 12 Mar 2005 Posts: 2390 Location: Germany
|
Posted: Thu Oct 09, 2014 3:37 pm Post subject: |
|
|
At the next Time index tick, your Bash should have Version: 4.2_p53. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Thu Oct 09, 2014 3:42 pm Post subject: |
|
|
The http attacks have dropped down a lot... I got one yesterday and it's sort of disguised as beneficial fix but how could they fix it? You can't fix bash without root...
And as expected... it's yet another command and remote control irc bot.
Oh well. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
patrix_neo Guru
Joined: 08 Jan 2004 Posts: 520 Location: The Maldives
|
Posted: Thu Oct 09, 2014 5:04 pm Post subject: |
|
|
The last two weeks I have been rebooting my system (just-in-case) more times than I usually do in the span of months consuming a big part of a year.
I feel that necessary reboots has become a more frequent behavior for us linux folks.
But, as I have made it to believe, this bash problem was a security issue meant to happen. Has been overlooked, that is.
Anyway.. |
|
Back to top |
|
|
ct85711 Veteran
Joined: 27 Sep 2005 Posts: 1791
|
Posted: Fri Oct 10, 2014 9:24 pm Post subject: |
|
|
just wondering, why are you needing to reboot so frequently? I've been leaving my computer on all the time, and I only reboot when I switch OS (lately, been often for class), otherwise I haven't ever really needed to reboot. You can't say because of all these security issues; as there's always some new security issue for some software nearly daily. That part is a matter of life for any OS, (Windows, you just don't get told, and doesn't get fixed till several months later on). Just like, there some new version of software out. Bash by it's self, is the easiest thing in reguards to updating to the new version installed; most you need to do is reload the terminal window/log out and log back in, and it's using latest bash (that is installed).
The point I am getting at; is, there's no point worrying about some security issue. There will always be some new one; the most you can do is update your software, monitor your system(s) and continue with your life (it's not going to end, about something so minor). The developers here (including for most of the Linux environment) will adress the security issues as fast as they can and you should have access to a patch relatively fast. |
|
Back to top |
|
|
patrix_neo Guru
Joined: 08 Jan 2004 Posts: 520 Location: The Maldives
|
Posted: Tue Oct 21, 2014 3:58 pm Post subject: |
|
|
ct85711 wrote: | just wondering, why are you needing to reboot so frequently? |
I can only speak for myself, but I have understood that processes, like underlying services as login, boot up processes are depending on bash/sh.
And there has been 3 new bash security updates.
So, in function of time consuming, a reboot is quite ok, secure in terms of avoiding wtf-did-I-forgot-that?, and maby lazy.
And then there are other occasions I do reboots. Among others are
kernel-upgrades
glibc |
|
Back to top |
|
|
UberLord Retired Dev
Joined: 18 Sep 2003 Posts: 6835 Location: Blighty
|
|
Back to top |
|
|
patrix_neo Guru
Joined: 08 Jan 2004 Posts: 520 Location: The Maldives
|
Posted: Wed Oct 22, 2014 1:58 am Post subject: |
|
|
UberLord wrote: | patrix_neo wrote: | I can only speak for myself, but I have understood that processes, like underlying services as login, boot up processes are depending on bash/sh. |
They use bash, but do not persist it, they reload it on demand.
So no, rebooting to upgrade bash is not needed. |
Thank you for the input. Not so much a chocking news for me either. Me rebooting often, I now understand is more of a me-problem.
But to clarify for my tiny brain, when you say reload on demand, does than involve a manual reload?
I knew back when I did an init 1 and then an init 3 to restart everything but, I think, the kernel and the glibc.
I don't know if that's still true with the OpenRC of today. |
|
Back to top |
|
|
UberLord Retired Dev
Joined: 18 Sep 2003 Posts: 6835 Location: Blighty
|
Posted: Wed Oct 22, 2014 2:57 am Post subject: |
|
|
patrix_neo wrote: | [But to clarify for my tiny brain, when you say reload on demand, does than involve a manual reload? |
No.
Init will do this for example
/etc/init.d/foo
-> /sbin/runscript
-> /bin/sh
-> /bin/bash
-> foo
foo them forks as a daemon or something, everything else unloads
If a daemon internals calls out to sh or bash it will be like running a program which 99% of the time will close again promptly.
So nothing manual in reloading is required.
Quote: |
I knew back when I did an init 1 and then an init 3 to restart everything but, I think, the kernel and the glibc.
I don't know if that's still true with the OpenRC of today. |
Should still work on Gentoo/Linux. _________________ Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Wed Oct 22, 2014 7:56 pm Post subject: |
|
|
I just saw a few people sending shellshocks to me via http after about 2 weeks of silence.
Not quite forgotten just yet... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
|