Re: bash velnerability
On 9/30/2014 1:54 PM, Jung-uk Kim wrote: > On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote: >> On 9/29/2014 11:01 AM, Mike Tancsa wrote: >>> On 9/26/2014 5:01 PM, Bryan Drewery wrote: On 9/26/2014 12:41 PM, Bryan Drewery wrote: > On 9/26/2014 11:51 AM, Bryan Drewery wrote: >> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >>> Apparently, the full fix is still not delivered, accordingly to this: >>> http://seclists.org/oss-sec/2014/q3/741 >>> >>> Kind regards, >>> Bartek Rutkowski >>> >> >> I'm pretty sure they call that a "feature". This is a bit different. I've disabled environment function importing in the port. Using --import-functions will allow it to work if you need it. >>> >>> Hi Bryan, >>> With the latest ports, bashcheck still sees some issues with bash. >>> Are these false positives on FreeBSD ? >>> >>> Using >>> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >>> >>> Not vulnerable to CVE-2014-6271 (original shellshock) >>> Not vulnerable to CVE-2014-7169 (taviso bug) >>> ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash >>> -c "true $(printf '< /dev/null >>> Vulnerable to CVE-2014-7186 (redir_stack bug) >>> Test for CVE-2014-7187 not reliable without address sanitizer >>> Variable function parser inactive, likely safe from unknown parser bugs >>> >>> ---Mike >> >> Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187. > > Applying the first patch for parse.y from the following post passed the > tests for me. > > http://www.openwall.com/lists/oss-security/2014/09/25/32 > > In fact, all major Linux distros seem to use it now. > > FYI, > > Jung-uk Kim For some reason the redir_stack issue is not showing up at all for me on head without the patch. It does show up on an 8.4 system of mine without the patch though. I have applied it now to the port. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
On Sep 30, 2014, at 3:08 PM, Jung-uk Kim wrote:
> On 2014-09-30 18:00:31 -0400, Mike Tancsa wrote:
>> On 9/30/2014 5:25 PM, Charles Swiger wrote:
>>> bash-3.2$ echo "Testing Exploit 4 (CVE-2014-7186)"
>>> Testing Exploit 4 (CVE-2014-7186)
>>> bash-3.2$ CVE7186="$(bash -c 'true <>> >> V)"
>>> bash-3.2$ [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT
>>> VULNERABLE"
>>> NOT VULNERABLE
>>>
>>> This being said, I'm not confident that there won't be further issues
>>> found with bash
>>>
>>
>> What are people using to check these issues ? I was using
>>
>> https://github.com/hannob/bashcheck
>>
>> Not sure if that gives false positives ?
> ...
>
> Yes, it seems it does.
>
> https://github.com/hannob/bashcheck/commit/5b611b36
>
> Jung-uk Kim
Checking, and agreed.
bash -c "true $(printf '
Re: bash velnerability
On 2014-09-30 18:00:31 -0400, Mike Tancsa wrote:
> On 9/30/2014 5:25 PM, Charles Swiger wrote:
>> bash-3.2$ echo "Testing Exploit 4 (CVE-2014-7186)"
>> Testing Exploit 4 (CVE-2014-7186)
>> bash-3.2$ CVE7186="$(bash -c 'true <> > V)"
>> bash-3.2$ [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT
>> VULNERABLE"
>> NOT VULNERABLE
>>
>> This being said, I'm not confident that there won't be further issues
>> found with bash
>>
>
> What are people using to check these issues ? I was using
>
> https://github.com/hannob/bashcheck
>
> Not sure if that gives false positives ?
...
Yes, it seems it does.
https://github.com/hannob/bashcheck/commit/5b611b36
Jung-uk Kim
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: bash velnerability
On 9/30/2014 5:25 PM, Charles Swiger wrote: bash-3.2$ echo "Testing Exploit 4 (CVE-2014-7186)" Testing Exploit 4 (CVE-2014-7186) bash-3.2$ CVE7186="$(bash -c 'true
Re: bash velnerability
I would agree with that. Considering the korn shell was found out to be
importing functions from bash this morning that it does not completely know how
to interpret goes to say that there is a much bigger issue at face here than
the mere sys admins can begin to fathom quite yet.
There is still more to come from this. We may not see the end of it for the
next 10 years.
But also to state bash 4.3.27 on 10-RELEASE-p9 reports as not vulnerable to the
five known CVEs right now but that same shell compiled on a 9.1-RELEASE system
is still vulnerable to the last two CVEs … That said this is deep just when you
think you have it conquered.
On Sep 30, 2014, at 16:25, Charles Swiger wrote:
> On Sep 30, 2014, at 12:46 PM, Bryan Drewery wrote:
> [ ... ]
>> I even saw a reddit post last night complaining that OSX had updated
>> bash only to leave it "still vulnerable" because of the redir_stack issue.
>
> It doesn't seem to be?
>
> bash-3.2$ bash --version
> GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
> Copyright (C) 2007 Free Software Foundation, Inc.
>
> bash-3.2$ echo "Testing Exploit 4 (CVE-2014-7186)"
> Testing Exploit 4 (CVE-2014-7186)
> bash-3.2$ CVE7186="$(bash -c 'true < bash-3.2$ [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT
> VULNERABLE"
> NOT VULNERABLE
>
> This being said, I'm not confident that there won't be further issues found
> with bash
>
> Regards,
> --
> -Chuck
>
> ___
> freebsd-secur...@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
--
Jason Hellenthal
Mobile: +1 (616) 953-0176
jhellent...@dataix.net
JJH48-ARIN
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: bash velnerability
On Sep 30, 2014, at 12:46 PM, Bryan Drewery wrote: [ ... ] > I even saw a reddit post last night complaining that OSX had updated > bash only to leave it "still vulnerable" because of the redir_stack issue. It doesn't seem to be? bash-3.2$ bash --version GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13) Copyright (C) 2007 Free Software Foundation, Inc. bash-3.2$ echo "Testing Exploit 4 (CVE-2014-7186)" Testing Exploit 4 (CVE-2014-7186) bash-3.2$ CVE7186="$(bash -c 'true
Re: bash velnerability
On 2014-09-30 14:58:07 -0400, Jason Hellenthal wrote:
> echo "Testing Exploit 1 (CVE-2014-6271)"
> CVE6271="$(env x='() { :;}; echo -n V' bash -c : 2>/dev/null)"
> [ "${CVE7187}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE"
>
> echo "Testing Exploit 2 (CVE-2014-7169)"
> CVE7169="$(env X='() { (4lpi.com)=>\' bash -c "echo date" 2>/dev/null; cat
> echo 2>/dev/null; rm -f echo)"
> [ ! "${CVE7169}" == "date" ] && echo "VULNERABLE" || echo "NOT VULNERABLE"
>
> echo "Testing Exploit 3 (CVE-2014-6277)"
> CVE6277="$(env -i X=' () { }; echo -n V' bash -c :)"
> [ "${CVE6277}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE"
>
> echo "Testing Exploit 4 (CVE-2014-7186)"
> CVE7186="$(bash -c 'true < [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE"
>
> echo "Testing Exploit 5 (CVE-2014-7187)"
> CVE7187="$((for x in {1..200}; do echo "for x$x in ; do :"; done; for x in
> {1..200}; do echo done; done) |bash 2>/dev/null ||echo -n V)"
> [ "${CVE7187}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE”
>
> Good luck ;-)
Yes, it passes all tests (the patch attached).
Jung-uk Kim
--- parse.y.orig2014-09-30 12:58:08.462512373 -0400
+++ parse.y 2014-09-30 12:58:08.629018000 -0400
@@ -265,9 +265,21 @@
/* Variables to manage the task of reading here documents, because we need to
defer the reading until after a complete command has been collected. */
-static REDIRECT *redir_stack[10];
+static REDIRECT **redir_stack;
int need_here_doc;
+/* Pushes REDIR onto redir_stack, resizing it as needed. */
+static void
+push_redir_stack (REDIRECT *redir)
+{
+ /* Guard against oveflow. */
+ if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack))
+abort ();
+ redir_stack = xrealloc (redir_stack,
+ (need_here_doc + 1) * sizeof (*redir_stack));
+ redir_stack[need_here_doc++] = redir;
+}
+
/* Where shell input comes from. History expansion is performed on each
line when the shell is interactive. */
static char *shell_input_line = (char *)NULL;
@@ -520,42 +532,42 @@
source.dest = 0;
redir.filename = $2;
$$ = make_redirection (source, r_reading_until,
redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| NUMBER LESS_LESS WORD
{
source.dest = $1;
redir.filename = $3;
$$ = make_redirection (source, r_reading_until,
redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| REDIR_WORD LESS_LESS WORD
{
source.filename = $1;
redir.filename = $3;
$$ = make_redirection (source, r_reading_until,
redir, REDIR_VARASSIGN);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| LESS_LESS_MINUS WORD
{
source.dest = 0;
redir.filename = $2;
$$ = make_redirection (source,
r_deblank_reading_until, redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| NUMBER LESS_LESS_MINUS WORD
{
source.dest = $1;
redir.filename = $3;
$$ = make_redirection (source,
r_deblank_reading_until, redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| REDIR_WORD LESS_LESS_MINUS WORD
{
source.filename = $1;
redir.filename = $3;
$$ = make_redirection (source,
r_deblank_reading_until, redir, REDIR_VARASSIGN);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| LESS_LESS_LESS WORD
{
@@ -4905,7 +4917,7 @@
case CASE:
case SELECT:
case FOR:
- if (word_top < MAX_CASE_NEST)
+ if (word_top + 1 < MAX_CASE_NEST)
word_top++;
word_lineno[word_top] = line_number;
break;
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: bash velnerability
On 9/30/2014 1:54 PM, Jung-uk Kim wrote: > On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote: >> On 9/29/2014 11:01 AM, Mike Tancsa wrote: >>> On 9/26/2014 5:01 PM, Bryan Drewery wrote: On 9/26/2014 12:41 PM, Bryan Drewery wrote: > On 9/26/2014 11:51 AM, Bryan Drewery wrote: >> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >>> Apparently, the full fix is still not delivered, accordingly to this: >>> http://seclists.org/oss-sec/2014/q3/741 >>> >>> Kind regards, >>> Bartek Rutkowski >>> >> >> I'm pretty sure they call that a "feature". This is a bit different. I've disabled environment function importing in the port. Using --import-functions will allow it to work if you need it. >>> >>> Hi Bryan, >>> With the latest ports, bashcheck still sees some issues with bash. >>> Are these false positives on FreeBSD ? >>> >>> Using >>> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >>> >>> Not vulnerable to CVE-2014-6271 (original shellshock) >>> Not vulnerable to CVE-2014-7169 (taviso bug) >>> ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash >>> -c "true $(printf '< /dev/null >>> Vulnerable to CVE-2014-7186 (redir_stack bug) >>> Test for CVE-2014-7187 not reliable without address sanitizer >>> Variable function parser inactive, likely safe from unknown parser bugs >>> >>> ---Mike >> >> Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187. > > Applying the first patch for parse.y from the following post passed the > tests for me. > > http://www.openwall.com/lists/oss-security/2014/09/25/32 > > In fact, all major Linux distros seem to use it now. > > FYI, > > Jung-uk Kim I was holding off on this one as it had not proven to be remotely exploitable from what I saw. I was also wanting to see what upstream did before throwing more intrusive patches at our port. I even saw a reddit post last night complaining that OSX had updated bash only to leave it "still vulnerable" because of the redir_stack issue. I will apply the redir_stack patch since it's becoming an FAQ. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
echo "Testing Exploit 1 (CVE-2014-6271)"
CVE6271="$(env x='() { :;}; echo -n V' bash -c : 2>/dev/null)"
[ "${CVE7187}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE"
echo "Testing Exploit 2 (CVE-2014-7169)"
CVE7169="$(env X='() { (4lpi.com)=>\' bash -c "echo date" 2>/dev/null; cat echo
2>/dev/null; rm -f echo)"
[ ! "${CVE7169}" == "date" ] && echo "VULNERABLE" || echo "NOT VULNERABLE"
echo "Testing Exploit 3 (CVE-2014-6277)"
CVE6277="$(env -i X=' () { }; echo -n V' bash -c :)"
[ "${CVE6277}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE"
echo "Testing Exploit 4 (CVE-2014-7186)"
CVE7186="$(bash -c 'true /dev/null ||echo -n V)"
[ "${CVE7187}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE”
Good luck ;-)
On Sep 30, 2014, at 13:54, Jung-uk Kim wrote:
> On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote:
>> On 9/29/2014 11:01 AM, Mike Tancsa wrote:
>>> On 9/26/2014 5:01 PM, Bryan Drewery wrote:
On 9/26/2014 12:41 PM, Bryan Drewery wrote:
> On 9/26/2014 11:51 AM, Bryan Drewery wrote:
>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
>>> Apparently, the full fix is still not delivered, accordingly to this:
>>> http://seclists.org/oss-sec/2014/q3/741
>>>
>>> Kind regards,
>>> Bartek Rutkowski
>>>
>>
>> I'm pretty sure they call that a "feature". This is a bit different.
I've disabled environment function importing in the port. Using
--import-functions will allow it to work if you need it.
>>>
>>> Hi Bryan,
>>>With the latest ports, bashcheck still sees some issues with bash.
>>> Are these false positives on FreeBSD ?
>>>
>>> Using
>>> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck
>>>
>>> Not vulnerable to CVE-2014-6271 (original shellshock)
>>> Not vulnerable to CVE-2014-7169 (taviso bug)
>>> ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash
>>> -c "true $(printf '< /dev/null
>>> Vulnerable to CVE-2014-7186 (redir_stack bug)
>>> Test for CVE-2014-7187 not reliable without address sanitizer
>>> Variable function parser inactive, likely safe from unknown parser bugs
>>>
>>>---Mike
>>
>> Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187.
>
> Applying the first patch for parse.y from the following post passed the
> tests for me.
>
> http://www.openwall.com/lists/oss-security/2014/09/25/32
>
> In fact, all major Linux distros seem to use it now.
>
> FYI,
>
> Jung-uk Kim
> ___
> freebsd-secur...@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
--
Jason Hellenthal
Mobile: +1 (616) 953-0176
jhellent...@dataix.net
JJH48-ARIN
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: bash velnerability
On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote: > On 9/29/2014 11:01 AM, Mike Tancsa wrote: >> On 9/26/2014 5:01 PM, Bryan Drewery wrote: >>> On 9/26/2014 12:41 PM, Bryan Drewery wrote: On 9/26/2014 11:51 AM, Bryan Drewery wrote: > On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >> Apparently, the full fix is still not delivered, accordingly to this: >> http://seclists.org/oss-sec/2014/q3/741 >> >> Kind regards, >> Bartek Rutkowski >> > > I'm pretty sure they call that a "feature". This is a bit different. >>> >>> I've disabled environment function importing in the port. Using >>> --import-functions will allow it to work if you need it. >> >> Hi Bryan, >> With the latest ports, bashcheck still sees some issues with bash. >> Are these false positives on FreeBSD ? >> >> Using >> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >> >> Not vulnerable to CVE-2014-6271 (original shellshock) >> Not vulnerable to CVE-2014-7169 (taviso bug) >> ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash >> -c "true $(printf '< /dev/null >> Vulnerable to CVE-2014-7186 (redir_stack bug) >> Test for CVE-2014-7187 not reliable without address sanitizer >> Variable function parser inactive, likely safe from unknown parser bugs >> >> ---Mike > > Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187. Applying the first patch for parse.y from the following post passed the tests for me. http://www.openwall.com/lists/oss-security/2014/09/25/32 In fact, all major Linux distros seem to use it now. FYI, Jung-uk Kim ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: bash velnerability
On 9/29/2014 11:01 AM, Mike Tancsa wrote: > On 9/26/2014 5:01 PM, Bryan Drewery wrote: >> On 9/26/2014 12:41 PM, Bryan Drewery wrote: >>> On 9/26/2014 11:51 AM, Bryan Drewery wrote: On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: > Apparently, the full fix is still not delivered, accordingly to this: > http://seclists.org/oss-sec/2014/q3/741 > > Kind regards, > Bartek Rutkowski > I'm pretty sure they call that a "feature". This is a bit different. >> >> I've disabled environment function importing in the port. Using >> --import-functions will allow it to work if you need it. > > Hi Bryan, > With the latest ports, bashcheck still sees some issues with bash. > Are these false positives on FreeBSD ? > > Using > https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck > > Not vulnerable to CVE-2014-6271 (original shellshock) > Not vulnerable to CVE-2014-7169 (taviso bug) > ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash > -c "true $(printf '< /dev/null > Vulnerable to CVE-2014-7186 (redir_stack bug) > Test for CVE-2014-7187 not reliable without address sanitizer > Variable function parser inactive, likely safe from unknown parser bugs > > ---Mike Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
On 9/26/2014 5:01 PM, Bryan Drewery wrote: On 9/26/2014 12:41 PM, Bryan Drewery wrote: On 9/26/2014 11:51 AM, Bryan Drewery wrote: On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: Apparently, the full fix is still not delivered, accordingly to this: http://seclists.org/oss-sec/2014/q3/741 Kind regards, Bartek Rutkowski I'm pretty sure they call that a "feature". This is a bit different. I've disabled environment function importing in the port. Using --import-functions will allow it to work if you need it. Hi Bryan, With the latest ports, bashcheck still sees some issues with bash. Are these false positives on FreeBSD ? Using https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash -c "true $(printf '< /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser inactive, likely safe from unknown parser bugs ---Mike -- --- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: bash velnerability
On 9/26/2014 12:41 PM, Bryan Drewery wrote: > On 9/26/2014 11:51 AM, Bryan Drewery wrote: >> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >>> Apparently, the full fix is still not delivered, accordingly to this: >>> http://seclists.org/oss-sec/2014/q3/741 >>> >>> Kind regards, >>> Bartek Rutkowski >>> >> >> I'm pretty sure they call that a "feature". This is a bit different. I've disabled environment function importing in the port. Using --import-functions will allow it to work if you need it. https://svnweb.freebsd.org/changeset/ports/369341 -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
On 9/26/2014 11:51 AM, Bryan Drewery wrote: > On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >> On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery wrote: >>> On 9/26/2014 2:36 AM, Steve Clement wrote: Dear all, In case you urgently need to go the manual route, here is one way to really patch your systems: https://www.circl.lu/pub/tr-27/ Until the patch is in the bash upstream… (which it might be by now) Take care, >>> >>> The port has had the fixes since yesterday. The packages are building. >>> >>> -- >>> Regards, >>> Bryan Drewery >>> >> >> Apparently, the full fix is still not delivered, accordingly to this: >> http://seclists.org/oss-sec/2014/q3/741 >> >> Kind regards, >> Bartek Rutkowski >> > > I'm pretty sure they call that a "feature". This is a bit different. > This is modifying the command used to call a function as the feature > intends. The vulnerability was that just parsing the environment would > execute the code. > > TL;DR; You should cleanse your environment and only accept valid input > to work around this feature. The bash developer (Chet) said he would not > remove it by default, at least a few days ago. > There is more discussion here http://seclists.org/oss-sec/2014/q3/746 Anyway I still think this is not anything to panic about. However I am making the decision to disable this feature entirely in our bash port by default. I will use christos@NetBSD's patch to add a --import-functions flag to bash. The port will allow selecting the default at build time. Ours will have it disabled. I have no idea what the impact is on this but it is the safest route for now; scripts passing functions in environment is crazy. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: > On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery wrote: >> On 9/26/2014 2:36 AM, Steve Clement wrote: >>> Dear all, >>> >>> In case you urgently need to go the manual route, here is one way to really >>> patch your systems: >>> >>> https://www.circl.lu/pub/tr-27/ >>> >>> Until the patch is in the bash upstream… (which it might be by now) >>> >>> Take care, >>> >> >> The port has had the fixes since yesterday. The packages are building. >> >> -- >> Regards, >> Bryan Drewery >> > > Apparently, the full fix is still not delivered, accordingly to this: > http://seclists.org/oss-sec/2014/q3/741 > > Kind regards, > Bartek Rutkowski > I'm pretty sure they call that a "feature". This is a bit different. This is modifying the command used to call a function as the feature intends. The vulnerability was that just parsing the environment would execute the code. TL;DR; You should cleanse your environment and only accept valid input to work around this feature. The bash developer (Chet) said he would not remove it by default, at least a few days ago. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery wrote: > On 9/26/2014 2:36 AM, Steve Clement wrote: >> Dear all, >> >> In case you urgently need to go the manual route, here is one way to really >> patch your systems: >> >> https://www.circl.lu/pub/tr-27/ >> >> Until the patch is in the bash upstream… (which it might be by now) >> >> Take care, >> > > The port has had the fixes since yesterday. The packages are building. > > -- > Regards, > Bryan Drewery > Apparently, the full fix is still not delivered, accordingly to this: http://seclists.org/oss-sec/2014/q3/741 Kind regards, Bartek Rutkowski ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: bash velnerability
On 9/26/2014 2:36 AM, Steve Clement wrote: > Dear all, > > In case you urgently need to go the manual route, here is one way to really > patch your systems: > > https://www.circl.lu/pub/tr-27/ > > Until the patch is in the bash upstream… (which it might be by now) > > Take care, > The port has had the fixes since yesterday. The packages are building. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
Dear all, In case you urgently need to go the manual route, here is one way to really patch your systems: https://www.circl.lu/pub/tr-27/ Until the patch is in the bash upstream… (which it might be by now) Take care, -- Steve Clement CIRCL - Computer Incident Response Center Luxembourg Awareness raising, incident handling A: 41, Av. de la Gare L-1611 Luxembourg T: (352) 274 00 98 604 F: (352) 274 00 98 698 E: i...@circl.lu W: www.circl.lu On Sep 25, 2014, at 6:57 PM, Bryan Drewery wrote: > The port is fixed with all known public exploits. The package is > building currently. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: bash velnerability
On 9/25/2014 11:13 AM, Jung-uk Kim wrote: > On 2014-09-25 02:54:06 -0400, Koichiro Iwao wrote: >> Please let me make corrections. The "shellshock" bash >> vulnerabilities are described by 2 CVEs. - CVE-2014-6271 - >> CVE-2014-7169 >> >> The first CVE is already fixed in latest freebsd ports tree >> (r369185), so far the second CVE is not fixed yet. > > CVE-2014-7169 is fixed now (r369261). > > http://svnweb.freebsd.org/changeset/ports/369261 > > Note the commit log says CVE-2014-3659 but it was actually reassigned > as CVE-2014-7169. > > Jung-uk Kim > The port is fixed with all known public exploits. The package is building currently. However bash still allows the crazy exporting of functions and may still have other parser bugs. I would recommend for the immediate future not using bash for forced ssh commands as well as these guidelines: 1. Do not ever link /bin/sh to bash. This is why it is such a big problem on Linux, as system(3) will run bash by default from CGI. 2. Web/CGI users should have shell of /sbin/nologin. 3. Don't write CGI in shell script / Stop using CGI :) 4. httpd/CGId should never run as root, nor "apache". Sandbox each application into its own user. 5. Custom restrictive shells, like scponly, should not be written in bash. 6. SSH authorized_keys/sshd_config forced commands should also not be written in bash. Cheers, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
On 9/25/2014 11:13 AM, Jung-uk Kim wrote: > On 2014-09-25 02:54:06 -0400, Koichiro Iwao wrote: >> Please let me make corrections. The "shellshock" bash >> vulnerabilities are described by 2 CVEs. - CVE-2014-6271 - >> CVE-2014-7169 >> >> The first CVE is already fixed in latest freebsd ports tree >> (r369185), so far the second CVE is not fixed yet. > > CVE-2014-7169 is fixed now (r369261). > > http://svnweb.freebsd.org/changeset/ports/369261 > > Note the commit log says CVE-2014-3659 but it was actually reassigned > as CVE-2014-7169. Thanks, vuxml updated. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
On 2014-09-25 02:54:06 -0400, Koichiro Iwao wrote: > Please let me make corrections. The "shellshock" bash > vulnerabilities are described by 2 CVEs. - CVE-2014-6271 - > CVE-2014-7169 > > The first CVE is already fixed in latest freebsd ports tree > (r369185), so far the second CVE is not fixed yet. CVE-2014-7169 is fixed now (r369261). http://svnweb.freebsd.org/changeset/ports/369261 Note the commit log says CVE-2014-3659 but it was actually reassigned as CVE-2014-7169. Jung-uk Kim > On Thu, Sep 25, 2014 at 11:58:30AM +0530, Riyaz T.K wrote: >> Hi, >> >> https://www.freebsd.org/cgi/ports.cgi?query=The+GNU+Project%27s+Bourne+Again+SHell&stype=text&sektion=all >> >> >> >> Is this version patched from the bash vulnerability? >> >> https://access.redhat.com/articles/1200223 ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: bash velnerability
Please let me make corrections. The "shellshock" bash vulnerabilities are described by 2 CVEs. - CVE-2014-6271 - CVE-2014-7169 The first CVE is already fixed in latest freebsd ports tree (r369185), so far the second CVE is not fixed yet. On Thu, Sep 25, 2014 at 11:58:30AM +0530, Riyaz T.K wrote: > Hi, > > https://www.freebsd.org/cgi/ports.cgi?query=The+GNU+Project%27s+Bourne+Again+SHell&stype=text&sektion=all > > Is this version patched from the bash vulnerability? > > https://access.redhat.com/articles/1200223 > > > > > -- > Riyaz T K > Admod Technologies > ___ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" -- `whois vmeta.jp | nkf -w` meta ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: bash velnerability
I think not yet[1]. But it will be shortly updated to patched version because the vulnerability is already documented written in security/vuxml [2]. That means port committer(s) already aware of the bash vulnerability. [1] http://svnweb.freebsd.org/ports/head/shells/bash/Makefile?revision=369185&view=markup [2] http://svnweb.freebsd.org/ports?view=revision&revision=369192 On Thu, Sep 25, 2014 at 11:58:30AM +0530, Riyaz T.K wrote: > Hi, > > https://www.freebsd.org/cgi/ports.cgi?query=The+GNU+Project%27s+Bourne+Again+SHell&stype=text&sektion=all > > Is this version patched from the bash vulnerability? > > https://access.redhat.com/articles/1200223 > > > > > -- > Riyaz T K > Admod Technologies > ___ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" -- `whois vmeta.jp | nkf -w` meta ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
bash velnerability
Hi, https://www.freebsd.org/cgi/ports.cgi?query=The+GNU+Project%27s+Bourne+Again+SHell&stype=text&sektion=all Is this version patched from the bash vulnerability? https://access.redhat.com/articles/1200223 -- Riyaz T K Admod Technologies ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
