Re: ksh, csh same vulnerability as bash
On 08-10-2014 17:14, David Coppa wrote: > On Wed, Oct 8, 2014 at 9:47 PM, Giancarlo Razzolini > wrote: >> On 08-10-2014 15:03, ÐÑÑÑÑ ÐÑÑомин wrote: >>> How affiliate mtier with OpenBSD? Is it safe method/source for update? >>> Who they are? >> It has been pointed to me that one of the ports maintainer/developer, is >> associated with them. > not only one, there're several... > > Ciao, > David Even better then. Trully recomend using it. Cheers [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: ksh, csh same vulnerability as bash
On Wed, Oct 8, 2014 at 9:47 PM, Giancarlo Razzolini wrote: > On 08-10-2014 15:03, Артур Истомин wrote: >> How affiliate mtier with OpenBSD? Is it safe method/source for update? >> Who they are? > It has been pointed to me that one of the ports maintainer/developer, is > associated with them. not only one, there're several... Ciao, David -- "If you try a few times and give up, you'll never get there. But if you keep at it... There's a lot of problems in the world which can really be solved by applying two or three times the persistence that other people will." -- Stewart Nelson
Re: ksh, csh same vulnerability as bash
On 08-10-2014 15:03, ÐÑÑÑÑ ÐÑÑомин wrote: > How affiliate mtier with OpenBSD? Is it safe method/source for update? > Who they are? It has been pointed to me that one of the ports maintainer/developer, is associated with them. I've been using since 5.4, and had no issues so far. Their packages are signed using their own key, which gets installed when you run openup for the first time. As long as you get the openup script right the first time, I don't see no reasons why you shouldn't use. And, you can keep a copy of the script so you can compare it when it gets updated (which is automatically). Cheers [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: ksh, csh same vulnerability as bash
On Wed, Oct 08, 2014 at 09:39:39AM +, Stuart Henderson wrote: > On 2014-10-08, Jason Adams wrote: > > On 09/29/2014 05:00 AM, Peter Hessler wrote: > >> You tested bash. All 3 shells are behaving correctly by passing the env > >> variable to the bash command you are running. the bash command you are > >> running is behaving incorrectly by parsing the variable as a function. > > > > So the question is, for those of us that have added the bash package, > > why is bash still vulnerable after all these weeks, when everyone else has > > fixed > > their bash packages? > > > > Just checked for updated pkg, today, and its still vulnerable. > > Release packages (e.g. in $mirror/pub/OpenBSD/5.5/packages/amd64) > do not get updated after the release is built. (Yes this means 5.6 too - > the cut-off point was around early August). > > There are updates in the 5.5-stable ports tree that you can build > yourself (see the faq), or see https://stable.mtier.org/ (third-party). How affiliate mtier with OpenBSD? Is it safe method/source for update? Who they are?
Re: ksh, csh same vulnerability as bash
On 2014-10-08, Jason Adams wrote: > On 09/29/2014 05:00 AM, Peter Hessler wrote: >> You tested bash. All 3 shells are behaving correctly by passing the env >> variable to the bash command you are running. the bash command you are >> running is behaving incorrectly by parsing the variable as a function. > > So the question is, for those of us that have added the bash package, > why is bash still vulnerable after all these weeks, when everyone else has > fixed > their bash packages? > > Just checked for updated pkg, today, and its still vulnerable. Release packages (e.g. in $mirror/pub/OpenBSD/5.5/packages/amd64) do not get updated after the release is built. (Yes this means 5.6 too - the cut-off point was around early August). There are updates in the 5.5-stable ports tree that you can build yourself (see the faq), or see https://stable.mtier.org/ (third-party).
Re: ksh, csh same vulnerability as bash
On Wed, 8 Oct 2014, Gregor Best wrote: > From: Gregor Best > To: Jason Adams > Cc: misc@openbsd.org > Date: Wed, 8 Oct 2014 08:57:53 > Subject: Re: ksh, csh same vulnerability as bash > > On Tue, Oct 07, 2014 at 10:05:57PM -0700, Jason Adams wrote: > > [...] > > So the question is, for those of us that have added the bash package, > > why is bash still vulnerable after all these weeks, when > > everyone else has fixed their bash packages? > > > > Just checked for updated pkg, today, and its still vulnerable. > > [...] > > I'm running current here, with bash-4.3.28 from packages. The > error seems fixed: ... There's been a couple of extra patches released: bash43-029 & bash43-030. For my sins I'm still on OpenBSD5.3 on a couple of antique laptops. Yes, I know OpenBSD5.3 isn't supported and I should upgrade. However I've tweaked the port for bash to include all the recent patches. So I'm now running: GNU bash, version 4.2.53(1)-release (i386-unknown-openbsd5.3) -- Dennis Davis
Re: ksh, csh same vulnerability as bash
On Tue, Oct 07, 2014 at 10:05:57PM -0700, Jason Adams wrote:
> [...]
> So the question is, for those of us that have added the bash package,
> why is bash still vulnerable after all these weeks, when everyone else has
> fixed
> their bash packages?
>
> Just checked for updated pkg, today, and its still vulnerable.
> [...]
I'm running current here, with bash-4.3.28 from packages. The error
seems fixed:
$ env x="() { :; }; echo fnord" bash -c 'echo whee'
whee
$
Looks good to me. Are you running 5.5? Then the mtier packages are
probably a good idea.
--
Gregor Best
Re: ksh, csh same vulnerability as bash
mtier have had at least two updates of bash that I know of. Regards
Re: ksh, csh same vulnerability as bash
On Wed, Oct 8, 2014, at 01:05 AM, Jason Adams wrote: > On 09/29/2014 05:00 AM, Peter Hessler wrote: > > You tested bash. All 3 shells are behaving correctly by passing the env > > variable to the bash command you are running. the bash command you are > > running is behaving incorrectly by parsing the variable as a function. > > So the question is, for those of us that have added the bash package, > why is bash still vulnerable after all these weeks, when everyone else > has fixed > their bash packages? > > Just checked for updated pkg, today, and its still vulnerable. > This is not really a general OBSD question because it's not part of base. Ask the maintainer of the bash package why it hasn't been updated. Maybe the ports list? Or you could do it yourself.
Re: ksh, csh same vulnerability as bash
On 09/29/2014 05:00 AM, Peter Hessler wrote: > You tested bash. All 3 shells are behaving correctly by passing the env > variable to the bash command you are running. the bash command you are > running is behaving incorrectly by parsing the variable as a function. So the question is, for those of us that have added the bash package, why is bash still vulnerable after all these weeks, when everyone else has fixed their bash packages? Just checked for updated pkg, today, and its still vulnerable.
Re: ksh, csh same vulnerability as bash
You tested bash. All 3 shells are behaving correctly by passing the env
variable to the bash command you are running. the bash command you are
running is behaving incorrectly by parsing the variable as a function.
To test ksh/csh, you need to run a different command.
On 2014 Sep 29 (Mon) at 03:53:58 -0700 (-0700), Bogdan Andu wrote:
:Hello list,
:
:the bug in bash shell discovered last day also seems to be present in ksh and
csh. ksh is known to be the default shell in OpenBSD.
:
:the following piece of shell code executes succesffuly on both ksh and csh
(besides bash of course):
:ksh:
:$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
:Bash is vulnerable!
:Bash Test
:
:csh:
:% env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
:Bash is vulnerable!
:Bash Test
:
:
:bash:
:$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
:Bash is vulnerable!
:Bash Test
:
:all platforms seem to be affected 5.2, 5.3, 5.4, 5.5 - amd64
:
:
:I wonder what it is to be done to circumvent any potential security risc for
people who call shell script code from cgi scripts for example.
:
:
:Cheers,
:
:/Bogdan
:
--
Help fight continental drift.
Re: ksh, csh same vulnerability as bash
Am 29.09.2014 12:53, schrieb Bogdan Andu:
the bug in bash shell discovered last day also seems to be present in ksh and
csh. ksh is known to be the default shell in OpenBSD.
the following piece of shell code executes succesffuly on both ksh and csh
(besides bash of course):
ksh:
$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
csh:
% env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
bash:
$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
all platforms seem to be affected 5.2, 5.3, 5.4, 5.5 - amd64
I wonder what it is to be done to circumvent any potential security risc for
people who call shell script code from cgi scripts for example.
Not sure if you are stupid or just a troll...
What do you expect when you execute a vulnerable bash from another shell?
Do you understand what you are doing?
