Re: [gentoo-user] [Security] Update bash *NOW*

2014-09-25 Thread Kerin Millar

On 25/09/2014 02:58, Walter Dnes wrote:

[snip]


...with malicious stuff, and it could get ugly.  app-shells/bash-4.2_p48
has been pushed to Gentoo stable.  The same env command results in...


Unfortunately, that version did fully address the problem. Instead, 
upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were 
recently committed. For further details:


https://bugs.gentoo.org/show_bug.cgi?id=523592

--Kerin



Re: [gentoo-user] [Security] Update bash *NOW*

2014-09-25 Thread Kerin Millar

On 25/09/2014 13:54, Kerin Millar wrote:

On 25/09/2014 02:58, Walter Dnes wrote:

[snip]


...with malicious stuff, and it could get ugly.  app-shells/bash-4.2_p48
has been pushed to Gentoo stable.  The same env command results in...


Unfortunately, that version did fully address the problem. Instead,
upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were
recently committed. For further details:

https://bugs.gentoo.org/show_bug.cgi?id=523592



Oops. Obviously, I meant to write did not fully address the problem.

--Kerin



Re: [gentoo-user] [Security] Update bash *NOW*

2014-09-25 Thread covici
Kerin Millar kerfra...@fastmail.co.uk wrote:

 On 25/09/2014 02:58, Walter Dnes wrote:
 
 [snip]
 
  ...with malicious stuff, and it could get ugly.  app-shells/bash-4.2_p48
  has been pushed to Gentoo stable.  The same env command results in...
 
 Unfortunately, that version did fully address the problem. Instead,
 upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were
 recently committed. For further details:
 
 https://bugs.gentoo.org/show_bug.cgi?id=523592
I cannot update to that, its not in the tree as of last night.

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici
 cov...@ccs.covici.com



Re: [gentoo-user] [Security] Update bash *NOW*

2014-09-25 Thread Tomas Mozes

On 2014-09-25 16:02, cov...@ccs.covici.com wrote:

Kerin Millar kerfra...@fastmail.co.uk wrote:


On 25/09/2014 02:58, Walter Dnes wrote:

[snip]

 ...with malicious stuff, and it could get ugly.  app-shells/bash-4.2_p48
 has been pushed to Gentoo stable.  The same env command results in...

Unfortunately, that version did fully address the problem. Instead,
upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were
recently committed. For further details:

https://bugs.gentoo.org/show_bug.cgi?id=523592

I cannot update to that, its not in the tree as of last night.


Try to rsync from some other mirror.



Re: [gentoo-user] [Security] Update bash *NOW*

2014-09-25 Thread Walter Dnes
On Thu, Sep 25, 2014 at 01:54:10PM +0100, Kerin Millar wrote
 On 25/09/2014 02:58, Walter Dnes wrote:
 
 [snip]
 
  ...with malicious stuff, and it could get ugly.  app-shells/bash-4.2_p48
  has been pushed to Gentoo stable.  The same env command results in...
 
 Unfortunately, that version did fully address the problem. Instead, 
 upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were 
 recently committed. For further details:
 
 https://bugs.gentoo.org/show_bug.cgi?id=523592
 
 --Kerin

  OK, I've got app-shells/bash-4.2_p48-r1 installed now.

-- 
Walter Dnes waltd...@waltdnes.org
I don't run desktop environments; I run useful applications



[gentoo-user] [Security] Update bash *NOW*

2014-09-24 Thread Walter Dnes
  Slashdot article 
http://linux.slashdot.org/story/14/09/24/1638207/remote-exploit-vulnerability-found-in-bash

  Story at 
http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html

  CVE ID CVE-2014-6271 at http://seclists.org/oss-sec/2014/q3/650

  Summary... bash scripts, CGI, perl via system(), and various other
commands invoke a bash shell at times, passing environmental variables
in the process.  Problem is that an environmental variable ***CAN
CONTAIN A FUNCTION DEFINITION, AND EXECUTE IT WHILST SPAWNING A NEW
SHELL***.  E.g. execute the command...

env x='() { :;}; echo vulnerable' bash -c echo this is a test

...and you get the following...

vulnerable
this is a test

  Replace...

x='() { :;}; echo vulnerable'

...with malicious stuff, and it could get ugly.  app-shells/bash-4.2_p48
has been pushed to Gentoo stable.  The same env command results in...

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test


-- 
Walter Dnes waltd...@waltdnes.org
I don't run desktop environments; I run useful applications