Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Bash Vulnerability
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jlpoole
Guru
Guru


Joined: 01 Nov 2005
Posts: 343
Location: Salem, OR

PostPosted: Wed Sep 24, 2014 11:06 pm    Post subject: Bash Vulnerability Reply with quote

I haven't seen any posting of this in the forums and so offer this up:

http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w

PostPosted: Wed Sep 24, 2014 11:20 pm    Post subject: Reply with quote

http://seclists.org/oss-sec/2014/q3/649

yup, disable ssh or update....

<shamus397> try this: LC_TIME='() { :;}; echo vulnerable' ssh <your systems hostname here>


Last edited by 666threesixes666 on Wed Sep 24, 2014 11:25 pm; edited 1 time in total
Back to top
View user's profile Send private message
jlpoole
Guru
Guru


Joined: 01 Nov 2005
Posts: 343
Location: Salem, OR

PostPosted: Wed Sep 24, 2014 11:22 pm    Post subject: Reply with quote

I had several servers that were vulnerable. Updating to 4.2_p48 should make you safe from this one. 4.2_p45 is vulnerable.

Quote:

# eix app-shells/bash
[U] app-shells/bash
Available versions:
(3.1) 3.1_p17 3.1_p18
(3.2) 3.2_p51 3.2_p52
(4.0) 4.0_p38 4.0_p39
(4.1) 4.1_p11 4.1_p12
(0) 4.2_p45 4.2_p48 **4.3_p25
{afs bashlogger examples mem-scramble +net nls plugins +readline vanilla}
Installed versions: 4.2_p45(22:02:45 07/24/13)(net nls readline -afs -bashlogger -examples -mem-scramble -plugins -vanilla)
Homepage: http://tiswww.case.edu/php/chet/bash/bashtop.html
Description: The standard GNU Bourne again shell

* app-shells/bash-completion
Back to top
View user's profile Send private message
Kilteroff
n00b
n00b


Joined: 18 Dec 2013
Posts: 36

PostPosted: Thu Sep 25, 2014 12:25 am    Post subject: Reply with quote

I'm sorry, how do you do this? My Emerge&Portage skills are still in devel -_-
Back to top
View user's profile Send private message
jlpoole
Guru
Guru


Joined: 01 Nov 2005
Posts: 343
Location: Salem, OR

PostPosted: Thu Sep 25, 2014 12:27 am    Post subject: Reply with quote

Kilteroff wrote:
I'm sorry, how do you do this? My Emerge&Portage skills are still in devel -_-


Code:
emerge --sync
emerge app-shells/bash
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2546

PostPosted: Thu Sep 25, 2014 12:32 am    Post subject: Reply with quote

That should be
Code:
emerge -1 app-shells/bash
Note the -1. Cluttering the world file is a bad idea.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
Kilteroff
n00b
n00b


Joined: 18 Dec 2013
Posts: 36

PostPosted: Thu Sep 25, 2014 12:32 am    Post subject: Reply with quote

That was the first thing I did, still app-shells/bash-4.2_p45 though :/
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7048
Location: almost Mile High in the USA

PostPosted: Thu Sep 25, 2014 12:34 am    Post subject: Reply with quote

https://forums.gentoo.org/viewtopic-t-1000670-highlight-.html

You can also just do a regular world update.

Use --oneshot to upgrade packages if you didn't explicitly emerge them... This will help out portage package messes down the road - though in this case, bash is unlikely to get orphaned...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Kilteroff
n00b
n00b


Joined: 18 Dec 2013
Posts: 36

PostPosted: Thu Sep 25, 2014 12:46 am    Post subject: Reply with quote

Well I followed the instructions and ran emerge --ask --oneshot --verbose ">=app-shells/bash-4.2_p48"

Now I have app-shells/bash-4.3_p24-r1

Scurry stuff. Thanks for the help :)
Back to top
View user's profile Send private message
wuzzerd
Guru
Guru


Joined: 05 Jan 2005
Posts: 451
Location: New Mexico

PostPosted: Thu Sep 25, 2014 1:31 am    Post subject: Reply with quote

Awesome: Gentoo has already handled this problem. Free beer for the devs!!
Back to top
View user's profile Send private message
sk3l
Tux's lil' helper
Tux's lil' helper


Joined: 14 Jul 2012
Posts: 78
Location: CT USA

PostPosted: Thu Sep 25, 2014 2:10 am    Post subject: Reply with quote

666threesixes666 wrote:
http://seclists.org/oss-sec/2014/q3/649

yup, disable ssh or update....

<shamus397> try this: LC_TIME='() { :;}; echo vulnerable' ssh <your systems hostname here>


Seems like patching should take priority, but is disabling sshd really necessary? FWICT only sshd configs with ForceCommand enabled are vulnerable? If you're not running GIT or SVN or the like your SSH may be OK. Please correct me if I'm mistaken.
Back to top
View user's profile Send private message
tld
Veteran
Veteran


Joined: 09 Dec 2003
Posts: 1365

PostPosted: Thu Sep 25, 2014 3:30 pm    Post subject: Reply with quote

wuzzerd wrote:
Awesome: Gentoo has already handled this problem. Free beer for the devs!!

It also appears that the version in Gentoo seems to have addressed the fact that the original fix was incomplete:

https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23

After updating:

Code:
env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
date
cat: echo: No such file or directory


However, on CentOS 6, the updated version which is supposed to be fixed appears to prevent the behavior as suggested in the original test, but does NOT deal with the above example:

Code:
env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Thu Sep 25 11:11:58 EDT 2014


Scary stuff. Gentoo devs are on top of this for sure!

Tom
Back to top
View user's profile Send private message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 251
Location: Germany

PostPosted: Thu Sep 25, 2014 8:33 pm    Post subject: Reply with quote

wuzzerd wrote:
Awesome: Gentoo has already handled this problem. Free beer for the devs!!


YES!! Free beer for the devs!! I love you!!! 8)
Back to top
View user's profile Send private message
darookee
Apprentice
Apprentice


Joined: 02 Jan 2003
Posts: 162
Location: Long Beach, CA.

PostPosted: Thu Sep 25, 2014 9:26 pm    Post subject: Reply with quote

I have to systems running gentoo, I updated them both as in https://forums.gentoo.org/viewtopic.php?p=7623082#7623082

One has GNU bash, version 4.2.48(1)-release (x86_64-pc-linux-gnu)
The other GNU bash, version 4.3.24(1)-release (x86_64-pc-linux-gnu)

When I run the test on the first I get this:
Code:

root:spork:~> env X='() { (a)=>\' /bin/bash -c "echo date"; cat echo
/bin/bash: X: line 1: syntax error near unexpected token `='
/bin/bash: X: line 1: `'
/bin/bash: error importing function definition for `X'
date
Thu Sep 25 23:21:21 CEST 2014
root:spork:~>


And on the second it is the same. Am I missing something? It looks like it is not fixed...?
Back to top
View user's profile Send private message
tld
Veteran
Veteran


Joined: 09 Dec 2003
Posts: 1365

PostPosted: Thu Sep 25, 2014 9:42 pm    Post subject: Reply with quote

darookee wrote:
And on the second it is the same. Am I missing something? It looks like it is not fixed...?

Actually I think you're correct. I noticed earlier that the updated Gentoo version had no patch other than the one known to be incomplete.

I think the above behavior I'm seeing, where I don't appear to have that issue, may possibly be because it's on an older x86 machine(??):

Code:
equery list bash
 * Searching for bash ...
[IP-] [  ] app-shells/bash-4.2_p48-r1:0

uname -a
Linux dell2 3.14.16-gentoo #1 SMP PREEMPT Tue Aug 19 11:25:32 EDT 2014 i686 Intel(R) Pentium(R) 4 CPU 2.53GHz GenuineIntel GNU/Linux

env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
date
cat: echo: No such file or directory


At least that's the only explanation I can imagine offhand. As you can see it's not occurring for me, but as far as I can see, there currently is no fix available yet for that one.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7048
Location: almost Mile High in the USA

PostPosted: Fri Sep 26, 2014 12:08 am    Post subject: Reply with quote

I've seen multiple incantations of the bug detection script around, it looks like the one with bad syntax is the worrysome one.

host4248r1 is x86 running bash4.2_p48r1 -- I also have x86_64 and behaves the same.
host4245 is x86_64 running bash4.2_p45
Code:
host4248r1$ bash
host4248r1$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
host4248r1$ exit
exit
host4248r1$ bash
host4248r1$ rm -f echo
host4248r1$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
date
cat: echo: No such file or directory
host4248r1$

The second one seems to be creating an improper function but oddly bash is still parsing it, but nevertheless it should not be executing it like on this vulnerable machine:
Code:
host4245$ bash
host4245$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
host4245$ exit
exit
host4245$ bash
host4245$ rm -f echo
host4245$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Thu Sep 25 17:43:15 MDT 2014

In any case it should not print out the date. Then again any function declaration appears to do rudimentary parsing:
Code:

host4248r1$ b() { (a)=> }
bash: syntax error near unexpected token `='

_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7048
Location: almost Mile High in the USA

PostPosted: Fri Sep 26, 2014 2:37 am    Post subject: Reply with quote

Just want to report that I had two hosts from "security companies" probe my server for shellshock through httpd. At least they made it somewhat obvious; there are more subtle ways of doing it...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
darookee
Apprentice
Apprentice


Joined: 02 Jan 2003
Posts: 162
Location: Long Beach, CA.

PostPosted: Fri Sep 26, 2014 10:05 am    Post subject: Reply with quote

I just checked again after updating one host to 4.3_p25-r1 and, 'magically', both host, the on running 4.2_p48-r1 and the other don't show the 'vulnerable' behavior, even though I didn't do anything on the bash-4.2 host... Funny...

Code:

$ equery list bash
[IP-] [  ] app-shells/bash-4.2_p48-r1:0

$ uname -a
Linux spork 3.10.17-gentoo #1 SMP Thu Nov 21 02:14:03 CET 2013 x86_64 AMD FX(tm)-4100 Quad-Core Processor AuthenticAMD GNU/Linux

$ env x='() { :;}; echo vulnerable' /bin/bash -c "echo this is a test"
/bin/bash: warning: x: ignoring function definition attempt
/bin/bash: error importing function definition for `x'
this is a test


Code:

$ equery list bash
[IP-] [  ] app-shells/bash-4.3_p25-r1:0

$ uname -a
Linux mirinda 3.8.13 #3 SMP Sun Dec 15 21:23:34 CET 2013 x86_64 AMD Athlon(tm) II X2 240 Processor AuthenticAMD GNU/Linux

$ env x='() { :;}; echo vulnerable' /bin/bash -c "echo this is a test"
/bin/bash: warning: x: ignoring function definition attempt
/bin/bash: error importing function definition for `x'
this is a test
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7048
Location: almost Mile High in the USA

PostPosted: Sat Sep 27, 2014 3:40 pm    Post subject: Reply with quote

looks like bash-4.2_p49 is available on portage now, which is the same as Gentoo's p48-r1 (which got obsoleted).
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
ChrisJumper
Advocate
Advocate


Joined: 12 Mar 2005
Posts: 2205
Location: Germany

PostPosted: Mon Sep 29, 2014 5:40 pm    Post subject: Reply with quote

The show must go on: app-shells/bash-4.2_p50 is available now.
Back to top
View user's profile Send private message
baragoon
n00b
n00b


Joined: 11 Feb 2013
Posts: 12

PostPosted: Tue Sep 30, 2014 11:47 am    Post subject: Reply with quote

ChrisJumper wrote:
The show must go on: app-shells/bash-4.2_p50 is available now.

But still vulnerable...
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
/root/t.sh: line 18: 2692 Segmentation fault bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
Back to top
View user's profile Send private message
patrix_neo
Guru
Guru


Joined: 08 Jan 2004
Posts: 515
Location: The Maldives

PostPosted: Tue Sep 30, 2014 6:36 pm    Post subject: Reply with quote

Redhat offered SJVN @ zdnet some tip how to check if your bash is vulnerable or not. It includes talk abut the CVE-2014-7186 bug.

http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/

Mine: bash-4.2_p50 made the tests.
Test 1
bash tests#1@zdnet wrote:

env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"


bash result#1@zdnet wrote:


bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test



NOTE: With bash-4.2_p50, bash replied with: test only. Good or bad, I don't know.

Test 2
bash tests#2@zdnet wrote:

cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo


bash result#2 wrote:


date
cat: /tmp/echo: No such file or directory

Back to top
View user's profile Send private message
geeksheik
Tux's lil' helper
Tux's lil' helper


Joined: 07 Sep 2003
Posts: 87

PostPosted: Thu Oct 02, 2014 11:48 am    Post subject: Corrupted bash ebuild - 4.2_p51 [fixed] Reply with quote

This may deserve a new thread; it seems that the bash ebuild is currently corrupted. I did the system update several days ago, and there have been already a few new releases in the meantime. Now the ebuild seems to be broken or corrupted. I'm guessing that it's due to a transfer error between servers, but this is the type of message that one would see if there is intentional manipulation.

Quote:

Starting emerge -u -D -v -N world on 20141002_133808...

These are the packages that would be merged, in order:

Calculating dependencies .... .... done!
[ebuild U ] app-shells/bash-4.2_p51 [4.2_p48-r1] USE="examples net nls (readline) -afs -bashlogger -mem-scramble -plugins -vanilla" 13 kB
[ebuild U ] net-proxy/squid-3.3.13-r1 [3.3.13] USE="ipv6 ldap logrotate mysql pam ssl -caps -ecap -icap-client (-ipf-transparent) -kerberos (-kqueue) -nis (-pf-transparent) -postgres -qos -radius -samba -sasl (-selinux) -snmp -sqlite -ssl-crtd {-test} -tproxy" 0 kB
[ebuild U ~] media-gfx/ufraw-0.20 [0.19.2] USE="gnome gtk openmp -contrast -fits -gimp -timezone" 1,062 kB
[ebuild U ] net-misc/dhcpcd-6.4.7 [6.4.3] USE="ipv6 udev" 152 kB
[ebuild U ] sys-apps/portage-2.2.8-r2 [2.2.8-r1] USE="(ipc) -build -doc -epydoc (-pypy2_0) -python2 -python3 (-selinux) -xattr" LINGUAS="-ru" PYTHON_TARGETS="python2_7 python3_3 (-pypy2_0) (-python2_6) (-python3_2) (-python3_4)" 0 kB
[ebuild U ] dev-vcs/git-2.0.4 [1.8.5.5] USE="blksha1 curl doc emacs gpg gtk iconv nls pcre perl python subversion threads tk webdav -cgi -cvs -gnome-keyring -highlight -mediawiki (-ppcsha1) {-test} -xinetd" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7" 4,628 kB

Total: 6 packages (6 upgrades), Size of downloads: 5,853 kB

>>> Verifying ebuild manifests


!!! Digest verification failed:
!!! /usr/portage/app-shells/bash/bash-4.1_p15.ebuild
!!! Reason: Filesize does not match recorded size
!!! Got: 4200
!!! Expected: 4201


Quote:

-> cat /usr/portage/metadata/timestamp.chk
Thu, 02 Oct 2014 11:30:01 +0000


I already re-synced once and got the same result.


Last edited by geeksheik on Sat Oct 04, 2014 2:31 pm; edited 1 time in total
Back to top
View user's profile Send private message
gerard27
Advocate
Advocate


Joined: 04 Jan 2004
Posts: 2377
Location: Netherlands

PostPosted: Thu Oct 02, 2014 2:09 pm    Post subject: Reply with quote

Had the same problem.
Resynced and it compiled properly.
Gerard.
_________________
To install Gentoo I use sysrescuecd.Based on Gentoo,has firefox to browse Gentoo docs and mc to browse (and edit) files.
The same disk can be used for 32 and 64 bit installs.
You can follow the Handbook verbatim.
http://www.sysresccd.org/Download
Back to top
View user's profile Send private message
patrix_neo
Guru
Guru


Joined: 08 Jan 2004
Posts: 515
Location: The Maldives

PostPosted: Fri Oct 03, 2014 10:12 pm    Post subject: Reply with quote

Security wise I feel undressed..Thanks for every effort though. I will reboot soonish.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum