LMDE: Shellshock Bash Bug Fix?

[metalhamster]

Hi Kurotsugi,

You are right with the patch issue in LMDE, but Linux Mint is a desktop oriented distribution, and (even if it's able to) it hasn't been made on purpose for hosting services across internet. Taking this into account, the exposure of a LMDE basic setup to any external hazard should be quite low (patched or not). You need to tinker around for messing things up and expose yourself, and a basic or average user wouldn't do that.

Besides, people should be aware that Samba, CUPS and other network based services shouldn't be made available outside from the local network. And so on with keeping weak passwords, saving them on your browser, having a poor secured wireless network, using third party non-signed/non-trusted software, opening mail from unknown recipients and so on...

I wonder if there's any way to help to speed up the debian testing -> LMDE patch assimilation process from there.
If your main concern is security, you can also swap to FreeBSD or NetBSD if needed...

Be water, my friend and flow with those patches!

[kurotsugi]

remember that we are talking about a system with 200+ security hole. it doesn't matter if you're running a desktop or a server. if you're running on LMDE you don't have to screw your system. your system already open 200+ door for those malicious stuffs. remember that LMDE is created by mint team, a famous linux distro with #1 rank on distrowatch. the reputation of LMDE having 200+ security holes should already spreaded widely. it's a public invitation to hack your system.

[Monsta]

I wonder if there's any way to help to speed up the debian testing -> LMDE patch assimilation process from there.

Will be done automatically on the transition of LMDE to the next Debian Stable - all the security patches will be delivered via Debian repos.

[mockturtl]

This is the best resource I've seen: https://shellshocker.net/

bash 4.3-11 just landed in sid, and passes all their tests.

Code: Select all

 $ ./shellshock_test.sh 
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

[sdibaja]

The LMDE patch came on the Update Manager on September 30...

or has the topic of this thread changed?

[kurotsugi]

The LMDE patch came on the Update Manager on September 30...

according to this site LMDE haven't patch anything regarding bash http://packages.linuxmint.com/list.php? ... bian#romeo
the latest security updates were on march for the famous heartbleed and openssl issue.

[killer de bug]

And according to the same site, you are once again saying something wrong.
http://packages.linuxmint.com/list.php? ... ian#import

Bash has been patched in LMDE...

KDB@KDB-laptop ~ $ apt policy bash
bash:
Installé : 4.3-9.2
Candidat : 4.3-9.2
Table de version :
*** 4.3-9.2 0
700 http://packages.linuxmint.com/ debian/import amd64 Packages
100 /var/lib/dpkg/status
4.2+dfsg-1 0
500 http://mirrors.nic.cz/linuxmint-debian/incoming/ testing/main amd64 Packages

[kurotsugi]

I've been wondering where are our legendary defender on these past few days. great to see you there :3
btw, the answer is right above you. care to look carefully into this matter?

This is the best resource I've seen: https://shellshocker.net/

bash 4.3-11 just landed in sid, and passes all their tests.

lmde's security patch were done via romeo branch. I missed bash because mint team silently move the security patch to import branch. is that means you're safe now? AFAIK, no. bash 4.3-9 contain the temporary solution for the vulnerability and didn't fully solve the problem. http://arstechnica.com/security/2014/09 ... ck-a-mole/. if you do the test on shellshock you'll found that lmde's bash is still vulnerable.

[mockturtl]

is that means you're safe now? AFAIK, no.

It's a moving target, as related vulnerabilities have been discovered.

For what it's worth, according to my tests earlier today:

• cygwin is fully patched
• OSX Mavericks is vulnerable to 4 out of 7
• OSX Yosemite beta has patched everything but CVE-2014-6277 ("segfault")
  • edit: OSX Yosemite beta is fully patched; the failure was a false alarm. Discussion below.

[killer de bug]

lmde's security patch were done via romeo branch. I missed bash because mint team silently move the security patch to import branch.

Saying this proves that you don't understand the way Mint work... Putting security fix in the instable repo, that are not recommended to be used by every users... Seriously

[Monsta]

This is the best resource I've seen: https://shellshocker.net/

bash 4.3-11 just landed in sid, and passes all their tests.

Code: Select all

 $ ./shellshock_test.sh 
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

Wait, but 4.3-9.2 passes these tests as well:

Code: Select all

monsta@asylum ~ $ apt policy bash
bash:
  Установлен: 4.3-9.2
  Кандидат:   4.3-9.2
  Таблица версий:
 *** 4.3-9.2 0
        700 http://debian.lth.se/linuxmint/ debian/import amd64 Packages
        100 /var/lib/dpkg/status
     4.2+dfsg-1 0
        500 http://debian.lth.se/lmde/latest/ testing/main amd64 Packages

Code: Select all

monsta@asylum ~ $ curl https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2627  100  2627    0     0   2169      0  0:00:01  0:00:01 --:--:--  2171
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

Did I miss something?

[sdibaja]

I am not really sure what you guys are going on about.
Over here we are just letting Update Manager do it's thing without any user tweaking:

Code: Select all

peter@sager-lmde:~$ apt policy bash
bash:
  Installed: 4.3-9.2
  Candidate: 4.3-9.2
  Version table:
 *** 4.3-9.2 0
        700 http://packages.linuxmint.com/ debian/import amd64 Packages
        100 /var/lib/dpkg/status
     4.2+dfsg-1 0
        500 http://debian.linuxmint.com/latest/ testing/main amd64 Packages
peter@sager-lmde:~$ 

Code: Select all

peter@sager-lmde:~$ curl https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2627  100  2627    0     0   4955      0 --:--:-- --:--:-- --:--:--  4956
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
peter@sager-lmde:~$ 

is there something else we should be doing? Other checks we should make?

[killer de bug]

Did I miss something?

Maybe the part where kurotsugi clearly says that he did not try the patch from LMDE before saying that it doesn't solve the problem?

[mockturtl]

Did I miss something?

That's interesting. Versions 4.3-9.2 and 4.3-10 failed the "segfault" test in my local copy of the script; it must have changed.

Looks like it was a false alarm: https://github.com/wreiske/shellshocker ... 0bbf8fca74

[debian changelog]

(Does anyone know why the new 'tracker.debian.org' does not link to the changelog, compared to the old 'packages.qa.debian.org'?)

[Monsta]

(Does anyone know why the new 'tracker.debian.org' does not link to the changelog, compared to the old 'packages.qa.debian.org'?)

The changelog links are on the left side (the "versioned links" pane) - click on the "plus in circle" icon.
It's not easy to find, and there's a bug report about it.

[mockturtl]

The changelog links are on the left side (the "versioned links" pane) - click on the "plus in circle" icon.
It's not easy to find, and there's a bug report about it.

Ah! Thank you. That's a strange adjustment to the layout.