When will bash for Raspbian be patched for CVE-2014-6271?

[heatfanjohn]

When will bash for Raspbian be patched for CVE-2014-6271?

Debian has already patched for this vulnerability.

See https://lists.debian.org/debian-securit ... 00220.html for more details.

[jojopi]

The new package (bash_4.2+dfsg-0.1+deb7u1_armhf.deb) was available before you posted, I believe. Have you tried:

Code: Select all

sudo apt-get update
sudo apt-get upgrade

Incidentally, I blame the parents in any situation where this bug is exploitable. The whole purpose of bash is to execute arbitrary commands, and it already does so based on environment variables such as ENV. If you must try to use bash as a sandbox, sanitise the entire environment, not just the bits you know about.

[Joe Schmoe]

Incidentally, I blame the parents in any situation where this bug is exploitable.

What is the bug? I checked some of the referenced web pages, and, as usual, they don't give any details. Just says that "Stephane C. discovered something…".

(Really, not much point in discussing something if you are not going to discuss it…)

[jojopi]

It executes the trailing garbage on any environment variable constructed to look like an exported shell function.

Code: Select all

[email protected] ~ $ env ANYTHING='() { anything; }; /usr/bin/id -a' bash anything
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),105(netdev),999(input)
Segmentation fault

[Joe Schmoe]

I was just curious as to exactly what was meant by "I blame the parents". When I first saw that, I thought the bug had something to do with kids accessing things on the Internet that they shouldn't.

Anyway, I found this elsewhere on the net:

'Shell Shock' Bash bug

"A bug discovered in the widely used Bash command interpreter poses a
critical security risk to Unix and Linux systems ^V and, thanks to their
ubiquity, the wider internet."

http://www.theregister.co.uk/2014/09/24 ... hell_vuln/

http://www.reuters.com/article/2014/09/ ... FQ20140924

[Tarcas]

From the register article:

You can check if you're vulnerable by running the following lines in your default shell, which on many systems will be Bash. If you see the words "busted", then you're at risk. If not, then either your Bash is fixed or your shell is using another interpreter.

Code: Select all

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"

[heatfanjohn]

The new package (bash_4.2+dfsg-0.1+deb7u1_armhf.deb) was available before you posted, I believe. Have you tried:

Code: Select all

sudo apt-get update
sudo apt-get upgrade

Incidentally, I blame the parents in any situation where this bug is exploitable. The whole purpose of bash is to execute arbitrary commands, and it already does so based on environment variables such as ENV. If you must try to use bash as a sandbox, sanitise the entire environment, not just the bits you know about.

Thanks, I had tired:

Code: Select all

sudo apt-get update
sudo apt-get install --only-upgrade bash

And that returned that I was already on the latest version which failed the vulnerability test.

My Pi is down right now and I can't try the upgrade again until later today.

[LaughterOnWater]

Thank you for this. I'm posting this reply in case people are looking for the bugs "street" name Shell Shock.