[kwlug-disc] Vulnerability in bash

Khalid Baheyeldin kb at 2bits.com
Thu Sep 25 09:35:33 EDT 2014 

The test for the vulnerability is typing this in a bash shell:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you get just "this is a test" with some warnings, then you are not
vulnerable.
If you get "vulnerable" as part of the output, then you are.

Like many who run a Debian based distro, I use apticron to get email
notifications of updates to the exact packages that I have installed. I got
notified yesterday noon-ish of the update and got it installed.

I did not need to reboot nor start the shells I have open in screen. The
output of the test above says I am not vulnerable, but I did not do a
before and after on the same machine (although a pristine virtual image
does show it is vulnerable).

So, don't think a shell restart is necessary based on the tests above. How
is this done? I don't know. There are no shared libraries included in the
package (dpkg -L bash).

On Thu, Sep 25, 2014 at 1:05 AM, B.S. <bs27975 at yahoo.ca> wrote:

> On Wed, 24 Sep 2014 23:21:57 -0400
> "L.D. Paniak" <ldpaniak at fourpisolutions.com> wrote:
>
> > The list should be aware of a newly-announced and particularly nasty
> > parsing bug with all versions of bash:
> >
> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
> >
> > The combination of "network exploitable" and "authentication not
> > required"  make this a "10" on the severity scale.
> >
> > Updated packages for current versions of Ubuntu look to have been
> > pushed out earlier today:
> > https://launchpad.net/ubuntu/+source/bash
>
> Presumably, at the least, a post-update logout/login will be necessary
> on each machine, if not an entire reboot. (Care to trust that ALL
> scripts run between turn on and user prompt use sh not bash? And that
> sh hasn't been inadvertently equivalenced to bash?)
>
> Given that most of us probably have a command line up (outside of any
> GUI too!), and thus in memory. Updating will catch any new instances,
> but not those you're already in the middle of.
>
> I suppose this means rebooting all servers, too. <sigh?>
>
> I wonder if we should expect to see some further script updates to
> follow. i.e. 'Inadvertent' taking advantage of 'hole' for non-nefarious
> purposes now needing tweaking due to the update. (e.g. Things becoming
> broken, albeit things originally written with the best of intentions.)
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>



-- 
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
For every complex problem, there is an answer that is clear, simple, and
wrong." -- H.L. Mencken
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140925/77c13677/attachment.htm>

More information about the kwlug-disc mailing list