User avatar
heatfanjohn
Posts: 28
Joined: Fri Jun 28, 2013 5:18 pm
Location: Davie, FL

When will bash for Raspbian be patched for CVE-2014-6271?

Thu Sep 25, 2014 1:30 am

When will bash for Raspbian be patched for CVE-2014-6271?

Debian has already patched for this vulnerability.

See https://lists.debian.org/debian-securit ... 00220.html for more details.

User avatar
jojopi
Posts: 3086
Joined: Tue Oct 11, 2011 8:38 pm

Re: When will bash for Raspbian be patched for CVE-2014-6271

Thu Sep 25, 2014 3:30 am

The new package (bash_4.2+dfsg-0.1+deb7u1_armhf.deb) was available before you posted, I believe. Have you tried:

Code: Select all

sudo apt-get update
sudo apt-get upgrade
Incidentally, I blame the parents in any situation where this bug is exploitable. The whole purpose of bash is to execute arbitrary commands, and it already does so based on environment variables such as ENV. If you must try to use bash as a sandbox, sanitise the entire environment, not just the bits you know about.

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: When will bash for Raspbian be patched for CVE-2014-6271

Thu Sep 25, 2014 3:39 am

Incidentally, I blame the parents in any situation where this bug is exploitable.

What is the bug? I checked some of the referenced web pages, and, as usual, they don't give any details. Just says that "Stephane C. discovered something…".

(Really, not much point in discussing something if you are not going to discuss it…)
Last edited by Joe Schmoe on Thu Sep 25, 2014 4:17 am, edited 1 time in total.
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

User avatar
jojopi
Posts: 3086
Joined: Tue Oct 11, 2011 8:38 pm

Re: When will bash for Raspbian be patched for CVE-2014-6271

Thu Sep 25, 2014 4:09 am

It executes the trailing garbage on any environment variable constructed to look like an exported shell function.

Code: Select all

[email protected] ~ $ env ANYTHING='() { anything; }; /usr/bin/id -a' bash anything
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),105(netdev),999(input)
Segmentation fault

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: When will bash for Raspbian be patched for CVE-2014-6271

Thu Sep 25, 2014 5:08 am

I was just curious as to exactly what was meant by "I blame the parents". When I first saw that, I thought the bug had something to do with kids accessing things on the Internet that they shouldn't.

Anyway, I found this elsewhere on the net:

'Shell Shock' Bash bug

"A bug discovered in the widely used Bash command interpreter poses a
critical security risk to Unix and Linux systems ^V and, thanks to their
ubiquity, the wider internet."

http://www.theregister.co.uk/2014/09/24 ... hell_vuln/

http://www.reuters.com/article/2014/09/ ... FQ20140924
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

Tarcas
Posts: 741
Joined: Thu Jan 09, 2014 5:38 am
Location: USA

Re: When will bash for Raspbian be patched for CVE-2014-6271

Thu Sep 25, 2014 1:35 pm

From the register article:
You can check if you're vulnerable by running the following lines in your default shell, which on many systems will be Bash. If you see the words "busted", then you're at risk. If not, then either your Bash is fixed or your shell is using another interpreter.

Code: Select all

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"

User avatar
heatfanjohn
Posts: 28
Joined: Fri Jun 28, 2013 5:18 pm
Location: Davie, FL

Re: When will bash for Raspbian be patched for CVE-2014-6271

Thu Sep 25, 2014 4:05 pm

jojopi wrote:The new package (bash_4.2+dfsg-0.1+deb7u1_armhf.deb) was available before you posted, I believe. Have you tried:

Code: Select all

sudo apt-get update
sudo apt-get upgrade
Incidentally, I blame the parents in any situation where this bug is exploitable. The whole purpose of bash is to execute arbitrary commands, and it already does so based on environment variables such as ENV. If you must try to use bash as a sandbox, sanitise the entire environment, not just the bits you know about.
Thanks, I had tired:

Code: Select all

sudo apt-get update
sudo apt-get install --only-upgrade bash
And that returned that I was already on the latest version which failed the vulnerability test.

My Pi is down right now and I can't try the upgrade again until later today.

User avatar
LaughterOnWater
Posts: 18
Joined: Sun Jan 20, 2013 3:34 pm
Location: United States
Contact: Website

Raspbian patched for Shell Shock

Thu Sep 25, 2014 4:21 pm

Thank you for this. I'm posting this reply in case people are looking for the bugs "street" name Shell Shock.
LaughterOnWater
http://low.li
http://www.youtube.com/user/LaughterOnWater

Return to “Advanced users”