aoakley
Posts: 64
Joined: Fri May 11, 2012 10:27 pm
Contact: Website

bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 12:02 pm

The well-publicised vulnerability in bash appears to have been fixed in Raspbian some time in the last couple of hours (after 9am, before 1pm Thu 25 Sept 2014 BST). Thank-you to the Raspbian, Foundation and/or other staff that have done this so quickly.

If your Pi is connectable from the outside world, you should update/upgrade urgently.

http://www.theregister.co.uk/2014/09/24 ... hell_vuln/

[email protected]:~$ env X="() { :;} ; echo busted" `which bash` -c "echo completed"
busted
completed

[email protected]:~$ sudo apt-get update && sudo apt-get -y dist-upgrade
...
The following packages will be upgraded:
bash libnss3
...

[email protected]:~$ env X="() { :;} ; echo busted" `which bash` -c "echo completed"
/bin/bash: warning: X: ignoring function definition attempt
/bin/bash: error importing function definition for `X'
completed
Andrew Oakley - Cotswold Raspberry Jam, Gloucestershire - http://www.cotswoldjam.org

Dedalus
Posts: 8
Joined: Sat Jan 19, 2013 11:56 pm

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 12:16 pm

Great news. Thanks for posting.

User avatar
jojopi
Posts: 3042
Joined: Tue Oct 11, 2011 8:38 pm

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 12:58 pm

aoakley wrote:The well-publicised vulnerability in bash appears to have been fixed in Raspbian some time in the last couple of hours (after 9am, before 1pm Thu 25 Sept 2014 BST).
The fixed package was available by the end of Wednesday (UTC) from at least some mirrors.
If your Pi is connectable from the outside world, you should update/upgrade urgently.
If your Pi gives bash unsanitised environment variables from the internet, in contexts where the remote user is not trusted to run arbitrary commands, I suggest disconnecting it to fix that issue and audit your code.

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 1:28 pm

Yeah, I don't get this "bug" at all. Which probably means that it's just never been adequately explained to me.

But, here's my understanding of it. What's the difference between:

Code: Select all

myfunc() { do something bad when myfunc gets called }
and:

Code: Select all

myfunc() { Only do good things here }; do Something Bad here
The main difference is that in the first method, it just doesn't happen right away.
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

User avatar
PeterO
Posts: 4292
Joined: Sun Jul 22, 2012 4:14 pm

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 1:42 pm

BBC journalists manage to get things wrong as normal....

"Bash - which stands for Bourne-Again SHell - is a command prompt on many Unix computers. Unix is an operating system on which many others are built, such as Linux and Mac OS."

"a command prompt"... It's an interpreter not a prompt !

And someone who writes "Linux is built on Unix" doesn't understand the history of the relationship.

PeterO
Last edited by PeterO on Thu Sep 25, 2014 1:56 pm, edited 1 time in total.
Discoverer of the PI2 XENON DEATH FLASH!
Interests: C,Python,PIC,Electronics,Ham Radio (G0DZB),Aeromodelling,1960s British Computers.
"The primary requirement (as we've always seen in your examples) is that the code is readable. " Dougie Lawson

User avatar
RaTTuS
Posts: 10119
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 1:52 pm

How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

diederik
Posts: 389
Joined: Wed Mar 26, 2014 11:17 pm

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 2:31 pm

aoakley wrote:[email protected]:~$ env X="() { :;} ; echo busted" `which bash` -c "echo completed"
That will test whether bash is vulnerable.

To test whether you SYSTEM is vulnerable do

Code: Select all

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
The difference is significant, since dash is the default shell (= /bin/sh) on Debian systems since Squeeze (thus also wheezy)
Interesting read, thanks :)

User avatar
Richard-TX
Posts: 1549
Joined: Tue May 28, 2013 3:24 pm
Location: North Texas

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 3:33 pm

I have known about the bash bug for quite some time. I dismissed it as yet another reason to not use bash as a scripting shell. For more years than I care to admit to, I have insisted at work that everyone write all shell scripts in /bin/sh; if for no other reason than portability. Now I can add security to that list of reasons.

I once went on a job site to do some consulting. I was shown a very elaborate script written in ksh. My comment was, "I see that the author went out of his way to write a script that could only be executed in korn shell." The response was "I hear a lot of that."

Anyway, the bottom line is that my rule to write all shell scripts in /bin/sh seems to be a good one. Not that /bin/sh is totally secure but it seems better than the alternatives.

Richard
Somehow "I told you so" just doesn't quite say it.
Richard
Doing Unix since 1985.
The 9-25-2013 image of Wheezy can be found at:
http://downloads.raspberrypi.org/raspbian/images/raspbian-2013-09-27/2013-09-25-wheezy-raspbian.zip

User avatar
PeterO
Posts: 4292
Joined: Sun Jul 22, 2012 4:14 pm

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 4:13 pm

Richard-TX wrote:I have known about the bash bug for quite some time..
And you didn't tell anyone ?
PeterO
Discoverer of the PI2 XENON DEATH FLASH!
Interests: C,Python,PIC,Electronics,Ham Radio (G0DZB),Aeromodelling,1960s British Computers.
"The primary requirement (as we've always seen in your examples) is that the code is readable. " Dougie Lawson

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5369
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 4:18 pm

Probably worth mentioning that it's not fixed in jessie yet.

User avatar
rpdom
Posts: 12947
Joined: Sun May 06, 2012 5:17 am
Location: Ankh-Morpork

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 4:28 pm

ShiftPlusOne wrote:Probably worth mentioning that it's not fixed in jessie yet.
jessie/testing doesn't get security updates like wheezy/stable does. Instead the updates go straight into (Debian) sid/unstable and then trickle down to jessie within a few days.

shellshock
Posts: 1
Joined: Thu Sep 25, 2014 4:43 pm

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 4:47 pm

Seeing as this is the first search link that comes up for 'raspberry pi shellshock' for me I think its worth mentioning that to update the pi users can open a terminal and type sudo apt-get update and this should install all the packages to fix this bug.
(Correct me if I'm wrong about that, only new to this.)
ty

User avatar
DougieLawson
Posts: 34166
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 4:48 pm

This is hardly a big deal for a stand-alone Pi sitting on a NAT'd LAN with one or two users and no shell access from the public internet for random users.

The BBC article was shouting "#weareallgoingtodie!" over something that's somewhat less than exciting and mostly a trivial thing discovered by a security researcher with too much time on his hands.
Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

2012-18: 1B*5, 2B*2, B+, A+, Z, ZW, 3Bs*3, 3B+

Any DMs sent on Twitter will be answered next month.

plugwash
Forum Moderator
Forum Moderator
Posts: 3268
Joined: Wed Dec 28, 2011 11:45 pm

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 4:52 pm

I've seen reports on irc that +deb7u1 fixes the initial bug but there is a variant that it doesn't fix :(

User avatar
PeterO
Posts: 4292
Joined: Sun Jul 22, 2012 4:14 pm

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 5:05 pm

shellshock wrote:Seeing as this is the first search link that comes up for 'raspberry pi shellshock' for me I think its worth mentioning that to update the pi users can open a terminal and type sudo apt-get update and this should install all the packages to fix this bug.
(Correct me if I'm wrong about that, only new to this.)
ty
The solution was given in the first post in the thread......
PeterO
Discoverer of the PI2 XENON DEATH FLASH!
Interests: C,Python,PIC,Electronics,Ham Radio (G0DZB),Aeromodelling,1960s British Computers.
"The primary requirement (as we've always seen in your examples) is that the code is readable. " Dougie Lawson

DWomack
Posts: 20
Joined: Thu Jan 30, 2014 11:55 am

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 8:39 pm

Should

sudo rpi-update

fix this? It does not here.


Dennis

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5369
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 8:42 pm

Nope, rpi-update is for rpi specific stuff like the kernel and firmware.

DWomack
Posts: 20
Joined: Thu Jan 30, 2014 11:55 am

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 9:32 pm

I ran

sudo apt-get update && sudo apt-get -y dist-upgrade

It took a long time to run, supposedly fixed a lot of stuff.

Ran the test and shell shock problem is fixed.

Thanks


Dennis

User avatar
cyrano
Posts: 713
Joined: Wed Dec 05, 2012 11:48 pm
Location: Belgium

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 9:50 pm

The patches are not sufficient. A new CVE has been given:
http://web.nvd.nist.gov/view/vuln/detai ... -2014-7169

SiriusHardware
Posts: 494
Joined: Thu Aug 02, 2012 9:09 pm
Location: UK

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 9:52 pm

What if we don't want to fully upgrade the distro, just fix the bash bug?

My understanding is that

Code: Select all

dpkg -s bash | grep Version
...will show which version of Bash is currently installed.

What I don't know is which is the latest / most recent 'bad' version in Raspbian, and which is the earliest 'good' version.

As far as I know

Code: Select all

sudo apt-get update && sudo apt-get install bash
...will install the latest available version of bash over the currently installed version, and then doing this again

Code: Select all

dpkg -s bash | grep Version
..should confirm the new / current version of bash?

After doing this on 25th September 2014 the output from the above command is

Code: Select all

Version: 4.2+dfsg-0.1+deb7u1
Final edit: after a couple of patch-ups, the final fully fixed version now available from the repos for Raspian is

Code: Select all

Version: 4.2+dfsg-0.1+deb7u3
Last edited by SiriusHardware on Tue Oct 07, 2014 7:02 pm, edited 1 time in total.

diederik
Posts: 389
Joined: Wed Mar 26, 2014 11:17 pm

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 11:27 pm

SiriusHardware wrote:What if we don't want to fully upgrade the distro, just fix the bash bug?
aptitude safe-upgrade bash
which is the earliest 'good' version.
for wheezy: 4.2+dfsg-0.1+deb7u1
for jessie: 4.3-9.1
sudo apt-get update && sudo apt-get install bash
That works too.
After doing this on 25th September 2014 the output from the above command is

Code: Select all

Version: 4.2+dfsg-0.1+deb7u1
So you have a version which fixed the first reported issue, but as cyrano reported, it's not all that needs to be fixed.

Tarcas
Posts: 740
Joined: Thu Jan 09, 2014 5:38 am
Location: USA

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 11:32 pm

shellshock wrote:Seeing as this is the first search link that comes up for 'raspberry pi shellshock' for me I think its worth mentioning that to update the pi users can open a terminal and type sudo apt-get update and this should install all the packages to fix this bug.
(Correct me if I'm wrong about that, only new to this.)
ty
Sorry, you missed a step. apt-get update only updates the list of available packages. After that's done, either run "apt-get upgrade" to upgrade all packages that you have installed for which newer versions are available, or "apt-get install bash" in order to install the latest version of bash, which will replace your currently-installed version.

It's good practice to periodically update your system anyway with: apt-get update; apt-get upgrade

plugwash
Forum Moderator
Forum Moderator
Posts: 3268
Joined: Wed Dec 28, 2011 11:45 pm

Re: bash bug / shell shock now fixed on Raspbian

Thu Sep 25, 2014 11:41 pm

For the most up to date fix (the intial fix was incomplete) you need version 4.2+dfsg-0.1+deb7u3 which should have hit the raspbian wheezy repos sometime between midnight and 1AM UK time.

Jessie is still vulnerable to the variant attack right now, hopefully it should be fixed soon.

sejtam
Posts: 2
Joined: Fri Sep 26, 2014 3:37 am

Re: bash bug / shell shock now fixed on Raspbian

Fri Sep 26, 2014 3:42 am

I ran

# apt-get update
# apt-get upgrade

but my bash is still vulnerable.

# cat /etc/debian_version
7.1

# dpkg -s bash | grep Version
Version: 4.2+dfsg-0.1

[email protected]:/etc/apt# apt-get update
Hit http://raspberrypi.collabora.com wheezy Release.gpg
Hit http://distribution-us.hexxeh.net wheezy Release.gpg
Hit http://raspberrypi.collabora.com wheezy Release
Hit http://distribution-us.hexxeh.net wheezy Release
Hit http://archive.raspberrypi.org wheezy Release.gpg
Hit http://raspberrypi.collabora.com wheezy/rpi armhf Packages
Hit http://archive.raspberrypi.org wheezy Release
Hit http://distribution-us.hexxeh.net wheezy/main armhf Packages
Hit http://archive.raspberrypi.org wheezy/main armhf Packages
Hit http://distribution-us.hexxeh.net wheezy/contrib armhf Packages
Hit http://distribution-us.hexxeh.net wheezy/non-free armhf Packages
Hit http://distribution-us.hexxeh.net wheezy/rpi armhf Packages
Ign http://raspberrypi.collabora.com wheezy/rpi Translation-en_SG
Ign http://archive.raspberrypi.org wheezy/main Translation-en_SG
Ign http://raspberrypi.collabora.com wheezy/rpi Translation-en
Ign http://archive.raspberrypi.org wheezy/main Translation-en
Ign http://distribution-us.hexxeh.net wheezy/contrib Translation-en_SG
Ign http://distribution-us.hexxeh.net wheezy/contrib Translation-en
Ign http://distribution-us.hexxeh.net wheezy/main Translation-en_SG
Ign http://distribution-us.hexxeh.net wheezy/main Translation-en
Ign http://distribution-us.hexxeh.net wheezy/non-free Translation-en_SG
Ign http://distribution-us.hexxeh.net wheezy/non-free Translation-en
Ign http://distribution-us.hexxeh.net wheezy/rpi Translation-en_SG
Ign http://distribution-us.hexxeh.net wheezy/rpi Translation-en
Reading package lists... Done
[email protected]:/etc/apt# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
[email protected]:/etc/apt# apt-get install bash
Reading package lists... Done
Building dependency tree
Reading state information... Done
bash is already the newest version.
The following package was automatically installed and is no longer required:
libelf1
Use 'apt-get autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.



What am I missing?

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 20907
Joined: Sat Jul 30, 2011 7:41 pm

Re: bash bug / shell shock now fixed on Raspbian

Fri Sep 26, 2014 4:14 am

PeterO wrote:
Richard-TX wrote:I have known about the bash bug for quite some time..
And you didn't tell anyone ?
PeterO
Indeed. One of the worst security bugs ever (10 out of 10), in the code for 22 years, and you sat on it? The original report for this was 09/24/2014. if anyone knew about this from before that, well, not reporting it was practically criminal. Are you sure you knew about it?
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Please direct all questions to the forum, I do not do support via PM.

Return to “Raspbian”