View previous topic :: View next topic |
Author |
Message |
jlpoole Guru
Joined: 01 Nov 2005 Posts: 482 Location: Salem, OR
|
|
Back to top |
|
|
666threesixes666 Veteran
Joined: 31 May 2011 Posts: 1248 Location: 42.68n 85.41w
|
Posted: Wed Sep 24, 2014 11:20 pm Post subject: |
|
|
http://seclists.org/oss-sec/2014/q3/649
yup, disable ssh or update....
<shamus397> try this: LC_TIME='() { :;}; echo vulnerable' ssh <your systems hostname here>
Last edited by 666threesixes666 on Wed Sep 24, 2014 11:25 pm; edited 1 time in total |
|
Back to top |
|
|
jlpoole Guru
Joined: 01 Nov 2005 Posts: 482 Location: Salem, OR
|
Posted: Wed Sep 24, 2014 11:22 pm Post subject: |
|
|
I had several servers that were vulnerable. Updating to 4.2_p48 should make you safe from this one. 4.2_p45 is vulnerable.
Quote: |
# eix app-shells/bash
[U] app-shells/bash
Available versions:
(3.1) 3.1_p17 3.1_p18
(3.2) 3.2_p51 3.2_p52
(4.0) 4.0_p38 4.0_p39
(4.1) 4.1_p11 4.1_p12
(0) 4.2_p45 4.2_p48 **4.3_p25
{afs bashlogger examples mem-scramble +net nls plugins +readline vanilla}
Installed versions: 4.2_p45(22:02:45 07/24/13)(net nls readline -afs -bashlogger -examples -mem-scramble -plugins -vanilla)
Homepage: http://tiswww.case.edu/php/chet/bash/bashtop.html
Description: The standard GNU Bourne again shell
* app-shells/bash-completion
|
|
|
Back to top |
|
|
Kilteroff n00b
Joined: 18 Dec 2013 Posts: 36
|
Posted: Thu Sep 25, 2014 12:25 am Post subject: |
|
|
I'm sorry, how do you do this? My Emerge&Portage skills are still in devel -_- |
|
Back to top |
|
|
jlpoole Guru
Joined: 01 Nov 2005 Posts: 482 Location: Salem, OR
|
Posted: Thu Sep 25, 2014 12:27 am Post subject: |
|
|
Kilteroff wrote: | I'm sorry, how do you do this? My Emerge&Portage skills are still in devel -_- |
Code: | emerge --sync
emerge app-shells/bash
|
|
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Thu Sep 25, 2014 12:32 am Post subject: |
|
|
That should be Code: | emerge -1 app-shells/bash | Note the -1. Cluttering the world file is a bad idea. _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
Kilteroff n00b
Joined: 18 Dec 2013 Posts: 36
|
Posted: Thu Sep 25, 2014 12:32 am Post subject: |
|
|
That was the first thing I did, still app-shells/bash-4.2_p45 though :/ |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Thu Sep 25, 2014 12:34 am Post subject: |
|
|
https://forums.gentoo.org/viewtopic-t-1000670-highlight-.html
You can also just do a regular world update.
Use --oneshot to upgrade packages if you didn't explicitly emerge them... This will help out portage package messes down the road - though in this case, bash is unlikely to get orphaned... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Kilteroff n00b
Joined: 18 Dec 2013 Posts: 36
|
Posted: Thu Sep 25, 2014 12:46 am Post subject: |
|
|
Well I followed the instructions and ran emerge --ask --oneshot --verbose ">=app-shells/bash-4.2_p48"
Now I have app-shells/bash-4.3_p24-r1
Scurry stuff. Thanks for the help |
|
Back to top |
|
|
wuzzerd Guru
Joined: 05 Jan 2005 Posts: 466 Location: New Mexico
|
Posted: Thu Sep 25, 2014 1:31 am Post subject: |
|
|
Awesome: Gentoo has already handled this problem. Free beer for the devs!! |
|
Back to top |
|
|
sk3l Tux's lil' helper
Joined: 14 Jul 2012 Posts: 78 Location: CT USA
|
Posted: Thu Sep 25, 2014 2:10 am Post subject: |
|
|
666threesixes666 wrote: | http://seclists.org/oss-sec/2014/q3/649
yup, disable ssh or update....
<shamus397> try this: LC_TIME='() { :;}; echo vulnerable' ssh <your systems hostname here> |
Seems like patching should take priority, but is disabling sshd really necessary? FWICT only sshd configs with ForceCommand enabled are vulnerable? If you're not running GIT or SVN or the like your SSH may be OK. Please correct me if I'm mistaken. |
|
Back to top |
|
|
tld Veteran
Joined: 09 Dec 2003 Posts: 1816
|
Posted: Thu Sep 25, 2014 3:30 pm Post subject: |
|
|
wuzzerd wrote: | Awesome: Gentoo has already handled this problem. Free beer for the devs!! |
It also appears that the version in Gentoo seems to have addressed the fact that the original fix was incomplete:
https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23
After updating:
Code: | env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
date
cat: echo: No such file or directory
|
However, on CentOS 6, the updated version which is supposed to be fixed appears to prevent the behavior as suggested in the original test, but does NOT deal with the above example:
Code: | env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Thu Sep 25 11:11:58 EDT 2014
|
Scary stuff. Gentoo devs are on top of this for sure!
Tom |
|
Back to top |
|
|
Duncan Mac Leod Guru
Joined: 02 May 2004 Posts: 311 Location: Germany
|
Posted: Thu Sep 25, 2014 8:33 pm Post subject: |
|
|
wuzzerd wrote: | Awesome: Gentoo has already handled this problem. Free beer for the devs!! |
YES!! Free beer for the devs!! I love you!!! |
|
Back to top |
|
|
darookee Apprentice
Joined: 02 Jan 2003 Posts: 162 Location: Long Beach, CA.
|
Posted: Thu Sep 25, 2014 9:26 pm Post subject: |
|
|
I have to systems running gentoo, I updated them both as in https://forums.gentoo.org/viewtopic.php?p=7623082#7623082
One has GNU bash, version 4.2.48(1)-release (x86_64-pc-linux-gnu)
The other GNU bash, version 4.3.24(1)-release (x86_64-pc-linux-gnu)
When I run the test on the first I get this:
Code: |
root:spork:~> env X='() { (a)=>\' /bin/bash -c "echo date"; cat echo
/bin/bash: X: line 1: syntax error near unexpected token `='
/bin/bash: X: line 1: `'
/bin/bash: error importing function definition for `X'
date
Thu Sep 25 23:21:21 CEST 2014
root:spork:~>
|
And on the second it is the same. Am I missing something? It looks like it is not fixed...? |
|
Back to top |
|
|
tld Veteran
Joined: 09 Dec 2003 Posts: 1816
|
Posted: Thu Sep 25, 2014 9:42 pm Post subject: |
|
|
darookee wrote: | And on the second it is the same. Am I missing something? It looks like it is not fixed...? |
Actually I think you're correct. I noticed earlier that the updated Gentoo version had no patch other than the one known to be incomplete.
I think the above behavior I'm seeing, where I don't appear to have that issue, may possibly be because it's on an older x86 machine(??):
Code: | equery list bash
* Searching for bash ...
[IP-] [ ] app-shells/bash-4.2_p48-r1:0
uname -a
Linux dell2 3.14.16-gentoo #1 SMP PREEMPT Tue Aug 19 11:25:32 EDT 2014 i686 Intel(R) Pentium(R) 4 CPU 2.53GHz GenuineIntel GNU/Linux
env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
date
cat: echo: No such file or directory
|
At least that's the only explanation I can imagine offhand. As you can see it's not occurring for me, but as far as I can see, there currently is no fix available yet for that one. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Fri Sep 26, 2014 12:08 am Post subject: |
|
|
I've seen multiple incantations of the bug detection script around, it looks like the one with bad syntax is the worrysome one.
host4248r1 is x86 running bash4.2_p48r1 -- I also have x86_64 and behaves the same.
host4245 is x86_64 running bash4.2_p45
Code: | host4248r1$ bash
host4248r1$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
host4248r1$ exit
exit
host4248r1$ bash
host4248r1$ rm -f echo
host4248r1$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
date
cat: echo: No such file or directory
host4248r1$
|
The second one seems to be creating an improper function but oddly bash is still parsing it, but nevertheless it should not be executing it like on this vulnerable machine:
Code: | host4245$ bash
host4245$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
host4245$ exit
exit
host4245$ bash
host4245$ rm -f echo
host4245$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Thu Sep 25 17:43:15 MDT 2014
|
In any case it should not print out the date. Then again any function declaration appears to do rudimentary parsing:
Code: |
host4248r1$ b() { (a)=> }
bash: syntax error near unexpected token `='
|
_________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Fri Sep 26, 2014 2:37 am Post subject: |
|
|
Just want to report that I had two hosts from "security companies" probe my server for shellshock through httpd. At least they made it somewhat obvious; there are more subtle ways of doing it... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
darookee Apprentice
Joined: 02 Jan 2003 Posts: 162 Location: Long Beach, CA.
|
Posted: Fri Sep 26, 2014 10:05 am Post subject: |
|
|
I just checked again after updating one host to 4.3_p25-r1 and, 'magically', both host, the on running 4.2_p48-r1 and the other don't show the 'vulnerable' behavior, even though I didn't do anything on the bash-4.2 host... Funny...
Code: |
$ equery list bash
[IP-] [ ] app-shells/bash-4.2_p48-r1:0
$ uname -a
Linux spork 3.10.17-gentoo #1 SMP Thu Nov 21 02:14:03 CET 2013 x86_64 AMD FX(tm)-4100 Quad-Core Processor AuthenticAMD GNU/Linux
$ env x='() { :;}; echo vulnerable' /bin/bash -c "echo this is a test"
/bin/bash: warning: x: ignoring function definition attempt
/bin/bash: error importing function definition for `x'
this is a test
|
Code: |
$ equery list bash
[IP-] [ ] app-shells/bash-4.3_p25-r1:0
$ uname -a
Linux mirinda 3.8.13 #3 SMP Sun Dec 15 21:23:34 CET 2013 x86_64 AMD Athlon(tm) II X2 240 Processor AuthenticAMD GNU/Linux
$ env x='() { :;}; echo vulnerable' /bin/bash -c "echo this is a test"
/bin/bash: warning: x: ignoring function definition attempt
/bin/bash: error importing function definition for `x'
this is a test
|
|
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Sat Sep 27, 2014 3:40 pm Post subject: |
|
|
looks like bash-4.2_p49 is available on portage now, which is the same as Gentoo's p48-r1 (which got obsoleted). _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
ChrisJumper Advocate
Joined: 12 Mar 2005 Posts: 2390 Location: Germany
|
Posted: Mon Sep 29, 2014 5:40 pm Post subject: |
|
|
The show must go on: app-shells/bash-4.2_p50 is available now. |
|
Back to top |
|
|
baragoon n00b
Joined: 11 Feb 2013 Posts: 12
|
Posted: Tue Sep 30, 2014 11:47 am Post subject: |
|
|
ChrisJumper wrote: | The show must go on: app-shells/bash-4.2_p50 is available now. |
But still vulnerable...
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
/root/t.sh: line 18: 2692 Segmentation fault bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs |
|
Back to top |
|
|
patrix_neo Guru
Joined: 08 Jan 2004 Posts: 520 Location: The Maldives
|
Posted: Tue Sep 30, 2014 6:36 pm Post subject: |
|
|
Redhat offered SJVN @ zdnet some tip how to check if your bash is vulnerable or not. It includes talk abut the CVE-2014-7186 bug.
http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/
Mine: bash-4.2_p50 made the tests.
Test 1
bash tests#1@zdnet wrote: |
env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
|
bash result#1@zdnet wrote: |
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test
|
NOTE: With bash-4.2_p50, bash replied with: test only. Good or bad, I don't know.
Test 2
bash tests#2@zdnet wrote: |
cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
|
bash result#2 wrote: |
date
cat: /tmp/echo: No such file or directory
|
|
|
Back to top |
|
|
geeksheik Tux's lil' helper
Joined: 07 Sep 2003 Posts: 99 Location: Zürich, Switzerland
|
Posted: Thu Oct 02, 2014 11:48 am Post subject: Corrupted bash ebuild - 4.2_p51 [fixed] |
|
|
This may deserve a new thread; it seems that the bash ebuild is currently corrupted. I did the system update several days ago, and there have been already a few new releases in the meantime. Now the ebuild seems to be broken or corrupted. I'm guessing that it's due to a transfer error between servers, but this is the type of message that one would see if there is intentional manipulation.
Quote: |
Starting emerge -u -D -v -N world on 20141002_133808...
These are the packages that would be merged, in order:
Calculating dependencies .... .... done!
[ebuild U ] app-shells/bash-4.2_p51 [4.2_p48-r1] USE="examples net nls (readline) -afs -bashlogger -mem-scramble -plugins -vanilla" 13 kB
[ebuild U ] net-proxy/squid-3.3.13-r1 [3.3.13] USE="ipv6 ldap logrotate mysql pam ssl -caps -ecap -icap-client (-ipf-transparent) -kerberos (-kqueue) -nis (-pf-transparent) -postgres -qos -radius -samba -sasl (-selinux) -snmp -sqlite -ssl-crtd {-test} -tproxy" 0 kB
[ebuild U ~] media-gfx/ufraw-0.20 [0.19.2] USE="gnome gtk openmp -contrast -fits -gimp -timezone" 1,062 kB
[ebuild U ] net-misc/dhcpcd-6.4.7 [6.4.3] USE="ipv6 udev" 152 kB
[ebuild U ] sys-apps/portage-2.2.8-r2 [2.2.8-r1] USE="(ipc) -build -doc -epydoc (-pypy2_0) -python2 -python3 (-selinux) -xattr" LINGUAS="-ru" PYTHON_TARGETS="python2_7 python3_3 (-pypy2_0) (-python2_6) (-python3_2) (-python3_4)" 0 kB
[ebuild U ] dev-vcs/git-2.0.4 [1.8.5.5] USE="blksha1 curl doc emacs gpg gtk iconv nls pcre perl python subversion threads tk webdav -cgi -cvs -gnome-keyring -highlight -mediawiki (-ppcsha1) {-test} -xinetd" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7" 4,628 kB
Total: 6 packages (6 upgrades), Size of downloads: 5,853 kB
>>> Verifying ebuild manifests
!!! Digest verification failed:
!!! /usr/portage/app-shells/bash/bash-4.1_p15.ebuild
!!! Reason: Filesize does not match recorded size
!!! Got: 4200
!!! Expected: 4201
|
Quote: |
-> cat /usr/portage/metadata/timestamp.chk
Thu, 02 Oct 2014 11:30:01 +0000
|
I already re-synced once and got the same result.
Last edited by geeksheik on Sat Oct 04, 2014 2:31 pm; edited 1 time in total |
|
Back to top |
|
|
gerard27 Advocate
Joined: 04 Jan 2004 Posts: 2377 Location: Netherlands
|
Posted: Thu Oct 02, 2014 2:09 pm Post subject: |
|
|
Had the same problem.
Resynced and it compiled properly.
Gerard. _________________ To install Gentoo I use sysrescuecd.Based on Gentoo,has firefox to browse Gentoo docs and mc to browse (and edit) files.
The same disk can be used for 32 and 64 bit installs.
You can follow the Handbook verbatim.
http://www.sysresccd.org/Download |
|
Back to top |
|
|
patrix_neo Guru
Joined: 08 Jan 2004 Posts: 520 Location: The Maldives
|
Posted: Fri Oct 03, 2014 10:12 pm Post subject: |
|
|
Security wise I feel undressed..Thanks for every effort though. I will reboot soonish. |
|
Back to top |
|
|
|