LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 09-25-2014, 10:02 PM   #16
bplphp73
LQ Newbie
 
Registered: Sep 2014
Posts: 1

Rep: Reputation: Disabled

Is there source code to build a patched version of bash that can be used with slackware 12?
 
Old 09-25-2014, 10:51 PM   #17
mancha
Member
 
Registered: Aug 2012
Posts: 484

Rep: Reputation: Disabled
Quote:
Originally Posted by RickKnight View Post
Any word on a patch for 12.0? I checked packages.slackware.com and didn't see one. I have a mail server running on 12.0 and am not ready to upgrade yet.
Quote:
Originally Posted by bplphp73 View Post
Is there source code to build a patched version of bash that can be used with slackware 12?
Hi.

Slackware 12.0 through 12.2 ship Bash 3.1. You should be able to use Slackware 13.0's build files on 12.x and be "protected". At least
until someone finds the next way to breach the parser.

--mancha

Last edited by mancha; 09-25-2014 at 10:54 PM.
 
Old 09-25-2014, 11:41 PM   #18
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Quote:
Originally Posted by metaschima View Post
Code:
bash-4.2$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Thu Sep 25 13:49:24 CDT 2014
Does this mean it worked ?
Yes.. To understand it better, after running that line try running
Code:
cat echo
in that directory (or look for the file) and it will show you the date...
 
3 members found this post helpful.
Old 09-26-2014, 03:06 AM   #19
WiseDraco
Member
 
Registered: Nov 2006
Location: Europe,Latvia,Riga
Distribution: slackware,slax, OS X, exMandriva
Posts: 591

Rep: Reputation: 73
Quote:
Originally Posted by hitest View Post
Praise Bob. Patched my four Slackware boxes yesterday.
can you give us a link?
 
Old 09-26-2014, 04:54 AM   #20
commandlinegamer
Member
 
Registered: Dec 2007
Posts: 164

Rep: Reputation: 51
Quote:
Originally Posted by WiseDraco View Post
can you give us a link?
A Slackware mirror.
 
Old 09-26-2014, 06:38 AM   #21
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 4,794

Rep: Reputation: 1882Reputation: 1882Reputation: 1882Reputation: 1882Reputation: 1882Reputation: 1882Reputation: 1882Reputation: 1882Reputation: 1882Reputation: 1882Reputation: 1882
Just to give some info, the updated package in current do not contain the patch as the SlackBuild is not yet modified to include the patch (eol-pushback.patch). Probably Pat forgot to add it and hopefully will issue another rebuilt soon
 
Old 09-26-2014, 09:44 AM   #22
enorbet
Senior Member
 
Registered: Jun 2003
Location: Virginia
Distribution: Slackware = Main OpSys
Posts: 4,979

Original Poster
Rep: Reputation: 4614Reputation: 4614Reputation: 4614Reputation: 4614Reputation: 4614Reputation: 4614Reputation: 4614Reputation: 4614Reputation: 4614Reputation: 4614Reputation: 4614
Guys be forewarned, one patch is not enough. There are now 3 patches released and I wouldn't be surprised if more occur. It's being called ShellShock and worse than HeartBleed.
 
Old 09-26-2014, 10:47 AM   #23
mancha
Member
 
Registered: Aug 2012
Posts: 484

Rep: Reputation: Disabled
I just wrote up a post with details on how to harden Bash to help protect from yet-to-be-discovered ways to abuse environment variables
as well as two new out-of-bounds memory issues.

My post has links to patches I've packaged for Bash 3.1, 4.1, 4.2, and 4.3.

--mancha
 
2 members found this post helpful.
Old 09-26-2014, 11:43 AM   #24
rg3
Member
 
Registered: Jul 2007
Distribution: Fedora
Posts: 527

Rep: Reputation: Disabled
Thanks mancha for your work and involvement in the security community.

Just to clarify, I'm running slackware64-current and I have already installed the updates from "Thu Sep 25 19:55:13 UTC 2014", which includes the package "bash-4.3.025-x86_64-2". I can still run:

Code:
env X='() { (a)=>\' sh -c "echo date"; cat echo
A file named "echo" is created in the current directory containing the date. Is that normal or should that be fixed? Will a future update fix that kind of behavior? Thanks in advance.
 
Old 09-26-2014, 12:12 PM   #25
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
@rg3: That means the version is still exploitable by yacc-attack...

Try recompiling with this patch for bash 4.3 (the link is taken from mancha's post)

The correct (exploit-free) output should be something like:
Code:
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
date
cat: echo: No such file or directory
P.S. Be sure you delete the file "echo" before retrying the command and that you are in a writable directory (this should go without saying but stuff like this always bite me *blush*)

P.P.S. bash-4.2.045-i486-1 from Slackware 14.1 is unnafected by both RCE and yacc-attack vulnerability, but it is affected by the out-of-bounds memory issues from post #227
 
1 members found this post helpful.
Old 09-26-2014, 12:24 PM   #26
thirdm
Member
 
Registered: May 2013
Location: Massachusetts
Distribution: Slackware, NetBSD, Debian, Sourcemage, 9front
Posts: 366
Blog Entries: 1

Rep: Reputation: Disabled
Quote:
Originally Posted by Smokey_justme View Post
@rg3: That means the version is still exploitable by yacc-attack...

Try recompiling with this patch for bash 4.3 (the link is taken from mancha's post)
Ahem. Do you really want that? I'm not saying I see problems in the patch, but it's more than a few lines of moderately complicated string handling (the minimum complexity of string handling in C) combined with memory allocation. And it was all whipped up, uh, yesterday during all this excitement. Maybe people should slow down a little, that's all I'm saying.
 
1 members found this post helpful.
Old 09-26-2014, 12:37 PM   #27
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Unfortunetly, loss of functionality or introducing some minor bug is more safer than letting the exploit unfixed...
 
Old 09-26-2014, 12:42 PM   #28
thirdm
Member
 
Registered: May 2013
Location: Massachusetts
Distribution: Slackware, NetBSD, Debian, Sourcemage, 9front
Posts: 366
Blog Entries: 1

Rep: Reputation: Disabled
A minor bug wasn't what I was concerned about. Recall this summer when someone demonstrated an exploit with a bounds error of only one byte.
 
Old 09-26-2014, 01:00 PM   #29
rg3
Member
 
Registered: Jul 2007
Distribution: Fedora
Posts: 527

Rep: Reputation: Disabled
Thanks for the replies. I didn't mean to start a discussion. I just find confusing that in sites like https://shellshocker.net/ (currently in the main page of Hacker News), the second vulnerability CVE-2014-7169 is tested with the following code:

Code:
env X='() { (a)=>\' bash -c "echo date"; cat echo
Which still exposes buggy behavior on my slackware64-current system, and it's supposed to be fixed with the package "bash-4.3.025-x86_64-2".
 
Old 09-26-2014, 01:11 PM   #30
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 4,794

Rep: Reputation: 1882Reputation: 1882Reputation: 1882Reputation: 1882Reputation: 1882Reputation: 1882Reputation: 1882Reputation: 1882Reputation: 1882Reputation: 1882Reputation: 1882
if you look at the bash slackbuild in current, the patch (eol-pushback.patch) is not used, so it's still vulnerable
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Instructions to Update Bash in LMDE Fix ShellShock eric.r.turner Linux Mint 12 09-20-2021 11:54 AM
[SOLVED] Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Apache2 Fail2ban Filter charly78 Linux - Security 12 10-25-2014 12:36 PM
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - rated 10 ! syg00 Linux - Security 81 10-15-2014 03:11 PM
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - legacy system patch help Diggy Linux - Security 3 09-26-2014 02:06 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 09:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration