Main Edition: BASH vulnerability a.k.a. 'Shellshock'

[all41]

It's been patched by almost all major Linux groups, by now.
- in all cases, even before it had hit the news-wire services.

Hey flag wavers--compare that with your "patch Tuesday"
and with your anti-virus definition update and detection abilities.

[viking1au]

All this does not do anything for the complete & total crash my system had. -- Then the time spent trying to load a fresh system onto the hard drive. - It kept coming up with some sort of file error for quite some time; until I had gotten it to accept a load-up of Linux Lite. -- Then re-load Mint 17 on that & another hard drive.---The only saving grace in the middle of all this is that I had learnt the value of constantly backing up. -- Thank god for that, but still a lot of work.

The latest news from other sites seems to be that 'Bash' fixes may not be a longer term solution & more needs to be done. -Rgds.

[jimallyn]

Ron, I think the forums search function doesn't return any results for words that have less than 4 letters. (Use Google to search the forums if you need to search for short words.) There was an update for bash in the Update Manager yesterday, and several related updates today. Run the Update Manager.

[mikecolley]

Hi All: Does anyone know of a patch or fix?

I heard about this Sep 25 on NBR on youtube. What they said at about minute 21 really cought my attention, you might want to check it out on YouTube.

I have all LM17 Cinnamon level 1 and level 2 updates applied to this 64bit system. Level 3 updates not applied. Maybe I should apply them?

My PC failed the test at: https://securityblog.redhat.com/2014/09 ... on-attack/

TMI if you google bash software bug

More Info: http://www.linux.com/news/enterprise/sy ... n-the-wild (edit added line)

Where can I track info on this? I'm looking for a fix or patch.

Thanks! - Mike Colley

System: LM17 Cinnamon flash drive created with LILI using SYSLINUX 4.04 on diskless HP8730w 2.8GHz, 8GB. Persistent install on 32Gig Sandisk, fully backed up weekly. Completely open PC (except for password protected documents). External 3 + 2 Gig USB rotating memory almost never plugged in to PC or anywhere.

P.S. Certainly some good soul who knows how will find a way to see what other easy and obvious bugs there are with the idea to get them fixed. Does anybody know of such an organized effort? I would like to read about progress.

[ClutchDisc]

Its a level 3 update that comes through the update manager.

[sdibaja]

update may not be enough, you might night to upgrade bash

To test for vulnerability, try this:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If it reports vulnerable, upgrade/patch like this:

sudo apt-get update && sudo apt-get install --only-upgrade bash

Close your shell, then test again
Overconfidence suits no one. It is an Achilles heel.

that update does Not work for LMDE:
bash is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

perhaps a patch will come out in the next day or two...

[sdibaja]

FYI:
that update does Not work for LMDE:
bash is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

perhaps a patch will come out in the next day or two...

[acerimusdux]

Would a typical router from an ISP be likely to have bash running on it?

Probably not, but I think there will be some. It's easy to imagine there will be some vulnerable router somewhere with a web based administration tool using cgi scripts, and with bash installed on the router.

In addition, since there are lots of routers which have vulnerabilities anyway, the dhclient-script (which uses bash) is a possible attack vector which, once the router running a dhcp server is compromised, could be used to then compromise an unpatched machine on that network. Here's a brief article demonstrating that one:

https://www.trustedsec.com/september-20 ... f-concept/

Replace the portion of the string “echo ‘foo'” with whatever command you want the client to execute. Keep in mind most clients will run dhcp hook scripts as root, but may not have a full environment defined in terms of PATH variables etc.

Basically that means, once you compromise a dhcp server, you can pretty much own any unpatched machine on that network.

Not technically essential, but all my automation scripts depend on bash, and they don't work with dash, so my default is set to /bin/bash.

Yes, it turns out there are still a ton of scripts which use bash. I did a quick search with grep and found 120 files beginning "#!/bin/bash" in /usr alone. Even in /bin, there are programs like gunzip, zgrep, and uncompress that are actually bash scripts. So much for that idea, it seems it likely really can't be removed without causing serious headaches.

Even though it's patched and I'm probably not affected, I still needed to investigate.

Agree. Very pleased this has been fixed quickly, but it really is a major vulnerability.

[Paulm]

There are quite a few ways to edit grub, my favorite method is to use 'Grub-Customizer'.
When the .tar file has been extracted, read the README file for a list of dependency package required and for install instructions.
https://launchpad.net/grub-customizer

[sherbert]

This vulnerability is news on our local FOSS board. It seems that a new bash is available to patch for it. Will this be made available to Mint users, please?
In my case, LM13. I am going to the end of the line with this LTS. It's great.
thanks
Shane H

[karlchen]

It seems that a new bash is available to patch for it. Will this be made available to Mint users, please?

Ubuntu had published the patched bash versions for Ubuntu 12.04 (Mint 13) and Ubuntu 14.04 (Mint 17) even before you asked. This means, provided you are accepting the default safety levels in mintupdate, [1], [2] and [3], the patched bash should have been offered for installation you to already. All you have to do is click on the shield icon and click on [Install] in the update manager application window.

Cf. several places in this thread and in particular this one by eanfrid: Patched bash versions on Mint 13 and Mint 17

[xenopeek]

The versions from eanfrid's post have already been superseded (those were the incomplete patches; the complete patches are now available). Current status is in the first post of this topic.

[karlchen]

Thanks, xenopeek.

I realize that so far my systems have been patched to fix vulnerability reported as CVE 2014-6271 only. So I can still be bashed.
Now I will have to watch out for the bash patches fixing CVE-2014-7169, instead.
I'm glad I'm typing this from Windows 7 SP1: no bash vulnerabilities here.

Cheers,
Karl

[xenopeek]

Now I will have to watch out for the bash patches fixing CVE-2014-7169, instead.

Those are already in Linux Mint 13 and 17; see the changelogs linked to in the first post in this topic.

[eanfrid]

I'm glad I'm typing this from Windows 7 SP1: no bash vulnerabilities here

Yep. Only many more others kept secret and unpatched

[karlchen]

Now I will have to watch out for the bash patches fixing CVE-2014-7169, instead.

Those are already in Linux Mint 13 and 17; see the changelogs linked to in the first post in this topic.

True, by today. It all depends on when exactly I received the bash updates on Ubuntu 12.04.5, Mint13, Mint 17 and Ubuntu 14.04.1.
If I interpret the timestamps correctly, then the patches for CVE-2014-7169 were built in the early morning hours of Friday, September 26th.

Code: Select all

[13:13:14] Warning: The file properties have changed:
[13:13:14]          File: /bin/bash
[13:13:14]          Current hash: ac1ddc9c4283f5bb8db64c2e5771eeb44803399f
[13:13:14]          Stored hash : 966672a53bec6b0e43137e187d9bc5dce05d8443
[13:13:14]          Current inode: 135666    Stored inode: 147738
[13:13:15]          Current file modification time: 1411695948 (26-Sep-2014 03:45:48)
[13:13:15]          Stored file modification time : 1398292992 (24-Apr-2014 00:43:12)

So the only system where I am 100% sure it has received bash 4.3-7ubuntu1.3 is Trusty Tahr, where I am typing this post.
All my other systems were updated from Tuesday to Thursday. So they cannot have received the patch for CVE-2014-7169, yet.

[Added 23:15]
All right. Mint 13 x64 has been re-patched, too. Re-patched, because it already had got the half-patched bash version.

Code: Select all

Ubuntu 12.04.5 x64  - Mint 13 x64
==================================
bash (4.2-2ubuntu2.3) precise-security; urgency=medium

  * SECURITY UPDATE: incomplete fix for CVE-2014-6271
    - debian/patches/CVE-2014-7169.diff: fix logic in bash/parse.y.
    - CVE-2014-7169

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 25 Sep 2014 02:11:10 -0400

[22:58:04] Warning: The file properties have changed:
[22:58:04]          File: /bin/bash
[22:58:04]          Current hash: 4e5d726270d6a129bf6e7a03798303d80246e56c
[22:58:04]          Stored hash : 9eeed02173db163b013933eff3b8c6aa3697f67f
[22:58:04]          Current inode: 1048653    Stored inode: 1048613
[22:58:04]          Current file modification time: 1411627847 (25-Sep-2014 08:50:47)
[22:58:04]          Stored file modification time : 1411418372 (22-Sep-2014 22:39:32)

[mike acker]

I read this explanation on ZD Net this morning.

My impression is: this is more an administrative error than it is a software bug. The news media, being what it is, is likely to give this the drive-by (i.e. 15 second version) of the "bug". From what I see I really don't see that this should be considered a software bug as it appears to be more like someone left the back door unlocked.

Administrative errors:
(1) running with root authority
(2) failure to "sanitize" inputs

[mikecolley]

HI All:

I loaded all level 1 and level 2 updates on my PC and ran the test and got:
***** FAIL *****
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
***** FAIL *****

I loaded all level 3 updates and ran the same test and got:
***** PASS *****
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
***** PASS *****

It is fixed for me. Thank You All!

System: LM17 Cinnamon flash drive created with LILI using SYSLINUX 4.04 on diskless HP8730w 2.8GHz, 8GB. Persistent install on 32Gig Sandisk, fully backed up weekly. Completely open PC (except for password protected documents). External 3 + 2 Gig USB rotating memory almost never plugged in to PC or anywhere.

[anonymous9001]

https://securityblog.redhat.com/2014/09 ... on-attack/
I really don't know much about bash. Is this a problem for us Mint users? Aparently, the patch can be bypassed as well.

[tamone]

Hello,

I am using Linux Mint Debian Edition and I could successfully upgrade my bash with your recipe of adding ftp.debian.org sid... into sources.list.
But I did not do a complete upgrade to avoid disturbing the distro based on jessie. I only did a

Code: Select all

 apt-get install bash 

after the update. Then I removed the repository sid. and it worked. Maybe I should block bash update to prevent a roll-back of the vulnerable version in the next install update ?

Thanks