LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-25-2014, 04:41 PM   #31
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 6 & 7
Posts: 3,209

Rep: Reputation: 871Reputation: 871Reputation: 871Reputation: 871Reputation: 871Reputation: 871Reputation: 871

The first patch rushed out to fix this was incomplete and I suspect RHEL paying customers are in line ahead of CentOS to get the second one. Here is the article:

https://securityblog.redhat.com/2014...ection-attack/
https://access.redhat.com/articles/1200223
 
Old 09-25-2014, 04:49 PM   #32
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134
That's what it's supposed to do. A broken system would print
Code:
vulnerable
this is a test
That
Code:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
is it catching the vulnerability.
 
Old 09-25-2014, 06:33 PM   #33
anthony11
LQ Newbie
 
Registered: Jan 2012
Posts: 3

Rep: Reputation: Disabled
Quote:
Originally Posted by Linux_Kidd View Post
see https://access.redhat.com/articles/1200223

i am wondering why the repos dont have the fixed package yet.
I found that here the RHEL 6 package came in long before the CentOS analogues made it to the mirror I use.

Safe travels.
 
Old 09-25-2014, 07:37 PM   #34
turtlebay777
Member
 
Registered: Apr 2014
Posts: 39

Rep: Reputation: 3
http://forums.linuxmint.com/viewtopic.php?f=47&t=178935

Mint 13 and 17 as well as LMDE are all patched now. Not that bash is used by default in any of the versions!
 
Old 09-25-2014, 07:55 PM   #35
widget
Senior Member
 
Registered: Oct 2008
Location: S.E. Montana
Distribution: Debian Testing, Stable, Sid and Manjaro, Mageia 3, LMDE
Posts: 2,628

Rep: Reputation: 496Reputation: 496Reputation: 496Reputation: 496Reputation: 496
Re: Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Shell shock patching?

Thanks for this thread.

Great collection of links. Clear, concise details for dealing with the issue.

Most of all there is no silly dramatics.

Last edited by unSpawn; 09-27-2014 at 10:52 AM. Reason: //Pre-merge subject linking
 
Old 09-25-2014, 08:39 PM   #36
tylerhoadley
LQ Newbie
 
Registered: Mar 2009
Posts: 2

Rep: Reputation: 0
Thumbs up Re: Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Shell shock patching?

Thanks for the squeeze-lts packages, very much appreciated.

Cheers,[COLOR="Silver"]

Last edited by unSpawn; 09-27-2014 at 10:53 AM. Reason: //Pre-merge subject linking
 
Old 09-25-2014, 09:23 PM   #37
BartMan__X
LQ Newbie
 
Registered: Sep 2014
Posts: 1

Rep: Reputation: Disabled
Re: Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Shell shock patching?

Try all three of these tests before you think you're fixed:

env X='() { :;}; echo' /bin/cat /etc/passwd; echo 'Welcome to he Simple ShellShock Tester By Svieg';echo 'Your infos are at risk';

env x='() { :;}; echo Your system is vulnerable update ASAP' bash -c "echo Visit svieg.wordpress.com for update info"

env X='() { (a)=>\' bash -c "echo date"

The standard env test listed is not the only variable that needs to be patched!

although this thread helped patch one problem there are still more :

Quote:
root@BWS-NET:~# env X='() { :;}; echo' /bin/cat /etc/passwd; echo 'Welcome to he Simple ShellShock Tester By Svieg';echo 'Your infos are at risk';
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13roxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
smmta:x:101:103:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:102:104:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
bind:x:103:107::/var/cache/bind:/bin/false
fetchmail:x:104:65534::/var/lib/fetchmail:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:106:110:MySQL Server,,,:/var/lib/mysql:/bin/false
postfix:x:107:111::/var/spool/postfix:/bin/false
ftp:x:108:113:ftp daemon,,,:/srv/ftp:/bin/false
vsftpd:x:5001:33::/var/www/vhosts:/bin/false
vmail:x:5000:5000::/home/vmail:/bin/sh
Welcome to he Simple ShellShock Tester By Svieg
Your infos are at risk

Last edited by unSpawn; 09-27-2014 at 10:53 AM. Reason: //Pre-merge subject linking
 
Old 09-26-2014, 02:48 AM   #38
NotAComputerGuy
Member
 
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349

Rep: Reputation: 13
Quote:
Originally Posted by turtlebay777 View Post
http://forums.linuxmint.com/viewtopic.php?f=47&t=178935

Mint 13 and 17 as well as LMDE are all patched now. Not that bash is used by default in any of the versions!
I came here seeking advise regarding this topic and found this which applied to my LMDE systems. I don't think LMDE *is* patched, as I saw the news yesterday, switched my computer on this morning and immediately sought to update to fix this. No update has come through and running the 'tests' displayed on many sites around the web, my system is still vulnerable.

How do I find out if my system is patched or not? How likely is this to affect me?

Thanks
 
Old 09-26-2014, 02:57 AM   #39
NotAComputerGuy
Member
 
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349

Rep: Reputation: 13
Update for other non-computer people. I found this thread here: http://forums.linuxmint.com/viewtopi...928313#p928313

This is what I did which might possibly fix the problem within LMDE (Linux Mint Debian Edition): Menu -> Update Manager -> Edit -> Software Sources -> Additonal Repositories -> Add New Repository -> Enter the follow text
Code:
deb http://ftp.debian.org/debian sid main contrib non-free
-> Then refresh cache in the top right corner. In a terminal enter
Code:
    sudo apt-get install bash
.

Do not just "apt-get upgrade" as people are reporting this breaks their system.

Once installed, remove the repository that you added within Update Manager.

I sincerely hope if this is wrong that someone corrects me shortly..
 
Old 09-26-2014, 06:27 AM   #40
DebianUser
Member
 
Registered: Apr 2010
Posts: 88

Rep: Reputation: 15
Re: Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Shell shock patching?

I just run the MANUAL Patch for Debian 6 and now when I get

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

so it appears to be fixed however my bash version still shows

GNU bash, version 4.1.5(1)-release (i486-pc-linux-gnu)

Last edited by unSpawn; 09-27-2014 at 10:53 AM. Reason: //Pre-merge subject linking
 
Old 09-26-2014, 06:49 AM   #41
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Rep: Reputation: Disabled
You can always do it by the source and patch using the latest patches

#check what you have for a version and sub in place of the 4.3 or 43
dpkg-query -l|grep bash
cd /usr/src
wget ftp://ftp.cwru.edu/pub/bash/bash-4.3.tar.gz
tar zxvf bash-4.3.tar.gz
cd bash-4.3

# download and apply all patches, including the latest one that patches
# note the 0 to 12 should be changed to the patches so if there are 0 to 59 patches you should have 0 59

for i in $(seq -f "%03g" 0 12); do
wget -nv ftp://ftp.cwru.edu/pub/bash/bash-4.3-patches/bash43-$i
patch -p0 < bash43-$i
done

# compile and install to /usr/local/bin/bash
./configure && make && make install


# point /bin/bash to the new binary
mv /bin/bash /bin/bash.old
ln -s /usr/local/bin/bash /bin/bash

# test by comparing the output of the following
env x='() { :;}; echo vulnerable' /bin/bash.old -c echo
env x='() { :;}; echo vulnerable' bash -c echo

#get rid of the problem bash file
rm /bin/bash.old
 
Old 09-26-2014, 07:04 AM   #42
turtlebay777
Member
 
Registered: Apr 2014
Posts: 39

Rep: Reputation: 3
Look on the Mint Forums site for details about Mint. Here, I've patched you through to the part talking about Bash Shellshock - http://forums.linuxmint.com/viewtopi...f=198&t=179002
 
Old 09-26-2014, 07:46 AM   #43
Soderlund
Member
 
Registered: Aug 2012
Posts: 185

Rep: Reputation: 81
Are shells other than bash also affected by this?
 
Old 09-26-2014, 08:11 AM   #44
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 6 & 7
Posts: 3,209

Rep: Reputation: 871Reputation: 871Reputation: 871Reputation: 871Reputation: 871Reputation: 871Reputation: 871
CentOS now is fully patched

Code:
# rpm -qi bash
Name        : bash                         Relocations: (not relocatable)
Version     : 4.1.2                             Vendor: CentOS
Release     : 15.el6_5.2                    Build Date: Thu 25 Sep 2014 10:15:25 PM EDT
# env x='() { :;}; echo vulnerable' bash -c echo

#
 
Old 09-26-2014, 08:11 AM   #45
Toofle
LQ Newbie
 
Registered: Mar 2014
Posts: 7

Rep: Reputation: Disabled
I'm on debian: SID atm. And when i try the command:

Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If your system is compromised you should be able to see "vulnerable" and "this is a test".
However. I can only see the part where it echo's "this is a test".

If the bash shell is patched it should give this error.

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

But it doesn't!

I have updated bash to latest version. Anyone have a clue?
 
  


Reply

Tags
bash, vulnerability


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Shellshock update: bash packages that resolve CVE-2014-6271 and CVE-2014-7169 available LXer Syndicated Linux News 1 09-26-2014 01:43 PM
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - legacy system patch help Diggy Linux - Security 3 09-26-2014 01:06 PM
LXer: Flaw CVE-2014-6271 discovered in the Bash shell — update your Fedora systems LXer Syndicated Linux News 0 09-25-2014 04:41 AM
[SOLVED] CVE-2014-0224 vulnerability joraymasalvan Linux - Newbie 3 06-18-2014 08:26 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration