Bash Vulnerability

geeksheik · Posted: Sat Oct 04, 2014 2:34 pm Post subject:

The corrupted ebuild was fixed the same day.

A big thanks to the maintainers (both Gentoo & upstream); I'm sure it's not an easy time at the moment.

eccerr0r · Posted: Mon Oct 06, 2014 8:45 pm Post subject:

Arrgh... It's the broken again shell!
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

ct85711 · Veteran Joined: 27 Sep 2005 Posts: 1791

At least the one good thing about these vulnerabilities in bash; is that it's getting a lot closer review; finding all these other issues that should have been fixed a long time ago. Hopefuly someone is also taking a look on zsh, dash, etc for similar issues.

eccerr0r · Posted: Tue Oct 07, 2014 12:03 am Post subject:

It almost looks like a house of cards there... It looks like a whole bunch of bugs that were discovered related to environment function passing (which can be a good thing) one after another...

Is function passing a feature specific to bash? I'd imagine this shouldn't be a unique feature. There have been tons of restrictions of what can and can't be passed (variables, exported variables, etc.), and having them pass can make scripts run considerably faster...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

ct85711 · Veteran Joined: 27 Sep 2005 Posts: 1791

my thoughts on function passing, is more of the data being used in one environment shouldn't be idlely used outside of it's environment. So any data used in one function shouldn't be accessible outside of that function, unless it was explicitly passed onto another function. Now a function jumping to another, sound more like a uncontrolled operation than anything else (like how do you know every time, it will always jump to that function, and not some rogue one that was injected into the tree above it).

*Note* I wouldn't consider myself as a programmer, more of a hobbyist; as I'm not too skilled on programming yet.

Hu · Moderator Joined: 06 Mar 2007 Posts: 21631

Function inheritance may not be unique to bash, but there is no standard on how to do it, so any other shells that do it likely do it differently from bash, especially now that bash has several different ways of doing it, depending on which patch level you run.

I believe I saw a comment on one of the mailing lists that the reason this was so broken is that the bash parser was never considered a security boundary until Shellshock hit. The assumption was always that by the time the user could feed it bad input, the shell was running and ready to do as you asked, so the only thing you could achieve by feeding it bad input was to crash the shell. Shellshock was a problem because the parser consumed user input while running with fewer restrictions than the user would have when the shell finished initializing and began accepting interactive input.

ChrisJumper · Advocate Joined: 12 Mar 2005 Posts: 2390 Location: Germany

At the next Time index tick, your Bash should have Version: 4.2_p53.

eccerr0r · Posted: Thu Oct 09, 2014 3:42 pm Post subject:

The http attacks have dropped down a lot... I got one yesterday and it's sort of disguised as beneficial fix but how could they fix it? You can't fix bash without root...

And as expected... it's yet another command and remote control irc bot.

Oh well.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

patrix_neo · Guru Joined: 08 Jan 2004 Posts: 520 Location: The Maldives

The last two weeks I have been rebooting my system (just-in-case) more times than I usually do in the span of months consuming a big part of a year.
I feel that necessary reboots has become a more frequent behavior for us linux folks.

But, as I have made it to believe, this bash problem was a security issue meant to happen. Has been overlooked, that is.
Anyway..

ct85711 · Veteran Joined: 27 Sep 2005 Posts: 1791

just wondering, why are you needing to reboot so frequently? I've been leaving my computer on all the time, and I only reboot when I switch OS (lately, been often for class), otherwise I haven't ever really needed to reboot. You can't say because of all these security issues; as there's always some new security issue for some software nearly daily. That part is a matter of life for any OS, (Windows, you just don't get told, and doesn't get fixed till several months later on). Just like, there some new version of software out. Bash by it's self, is the easiest thing in reguards to updating to the new version installed; most you need to do is reload the terminal window/log out and log back in, and it's using latest bash (that is installed).

The point I am getting at; is, there's no point worrying about some security issue. There will always be some new one; the most you can do is update your software, monitor your system(s) and continue with your life (it's not going to end, about something so minor). The developers here (including for most of the Linux environment) will adress the security issues as fast as they can and you should have access to a patch relatively fast.

patrix_neo · Guru Joined: 08 Jan 2004 Posts: 520 Location: The Maldives

UberLord · Posted: Tue Oct 21, 2014 11:03 pm Post subject:

patrix_neo · Guru Joined: 08 Jan 2004 Posts: 520 Location: The Maldives

UberLord · Posted: Wed Oct 22, 2014 2:57 am Post subject:

eccerr0r · Posted: Wed Oct 22, 2014 7:56 pm Post subject:

I just saw a few people sending shellshocks to me via http after about 2 weeks of silence.
Not quite forgotten just yet...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?