[kwlug-disc] Vulnerability in bash

Fernando Duran liberosec at yahoo.ca
Thu Sep 25 09:59:30 EDT 2014 

In Ubuntu the new bash fixes it (at least the test): 
sudo apt-get update && sudo apt-get install bash


--------------------- 
Fernando Duran 
http://www.fduran.com


On Thursday, September 25, 2014 9:47 AM, Khalid Baheyeldin <kb at 2bits.com> wrote:


>
>
>Yes, you are OK. 
>Same output as I am having on 14.04 and 12.04.
>
>
>
>On Thu, Sep 25, 2014 at 9:43 AM, CrankyOldBugger <crankyoldbugger at gmail.com> wrote:
>
>I got:
>>
>>
>>:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>>bash: warning: x: ignoring function definition attempt
>>bash: error importing function definition for `x'
>>this is a test
>>
>>
>>:~$ uname -a
>>Linux Quorra 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>>
>>
>>This is on an Ubuntu 14.10 laptop.
>>So I guess I'm ok!
>>
>>
>>
>>
>>
>>
>>
>>
>>On 25 September 2014 09:35, Khalid Baheyeldin <kb at 2bits.com> wrote:
>>
>>The test for the vulnerability is typing this in a bash shell:
>>>
>>>env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>>>
>>>
>>>If you get just "this is a test" with some warnings, then you are not vulnerable.
>>>If you get "vulnerable" as part of the output, then you are.
>>>
>>>Like many who run a Debian based distro, I use apticron to get email notifications of updates to the exact packages that I have installed. I got notified yesterday noon-ish of the update and got it installed.
>>>
>>>I did not need to reboot nor start the shells I have open in screen. The output of the test above says I am not vulnerable, but I did not do a before and after on the same machine (although a pristine virtual image does show it is vulnerable).
>>>
>>>
>>>So, don't think a shell restart is necessary based on the tests above. How is this done? I don't know. There are no shared libraries included in the package (dpkg -L bash).
>>>
>>>
>>>
>>>On Thu, Sep 25, 2014 at 1:05 AM, B.S. <bs27975 at yahoo.ca> wrote:
>>>
>>>On Wed, 24 Sep 2014 23:21:57 -0400
>>>>"L.D. Paniak" <ldpaniak at fourpisolutions.com> wrote:
>>>>
>>>>> The list should be aware of a newly-announced and particularly nasty
>>>>> parsing bug with all versions of bash:
>>>>>
>>>>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>>>>>
>>>>> The combination of "network exploitable" and "authentication not
>>>>> required"  make this a "10" on the severity scale.
>>>>>
>>>>> Updated packages for current versions of Ubuntu look to have been
>>>>> pushed out earlier today:
>>>>> https://launchpad.net/ubuntu/+source/bash
>>>>
>>>>Presumably, at the least, a post-update logout/login will be necessary
>>>>on each machine, if not an entire reboot. (Care to trust that ALL
>>>>scripts run between turn on and user prompt use sh not bash? And that
>>>>sh hasn't been inadvertently equivalenced to bash?)
>>>>
>>>>Given that most of us probably have a command line up (outside of any
>>>>GUI too!), and thus in memory. Updating will catch any new instances,
>>>>but not those you're already in the middle of.
>>>>
>>>>I suppose this means rebooting all servers, too. <sigh?>
>>>>
>>>>I wonder if we should expect to see some further script updates to
>>>>follow. i.e. 'Inadvertent' taking advantage of 'hole' for non-nefarious
>>>>purposes now needing tweaking due to the update. (e.g. Things becoming
>>>>broken, albeit things originally written with the best of intentions.)
>>>>
>>>>
>>>>
>>>>_______________________________________________
>>>>kwlug-disc mailing list
>>>>kwlug-disc at kwlug.org
>>>>http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>
>>>
>>>
>>>-- 
>>>Khalid M. Baheyeldin
>>>2bits.com, Inc.
>>>Fast Reliable Drupal
>>>Drupal optimization, development, customization and consulting.
>>>Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
>>>Simplicity is the ultimate sophistication. --   Leonardo da Vinci
>>>For every complex problem, there is an answer that is clear, simple, and wrong." -- H.L. Mencken
>>>
>>>_______________________________________________
>>>kwlug-disc mailing list
>>>kwlug-disc at kwlug.org
>>>http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>
>>>
>>>
>>
>>
>>
>>_______________________________________________
>>kwlug-disc mailing list
>>kwlug-disc at kwlug.org
>>http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
>>
>
>
>
>-- 
>Khalid M. Baheyeldin
>2bits.com, Inc.
>Fast Reliable Drupal
>Drupal optimization, development, customization and consulting.
>Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
>Simplicity is the ultimate sophistication. --   Leonardo da Vinci
>For every complex problem, there is an answer that is clear, simple, and wrong." -- H.L. Mencken
>
>
>_______________________________________________
>kwlug-disc mailing list
>kwlug-disc at kwlug.org
>http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
>

More information about the kwlug-disc mailing list