[kwlug-disc] Vulnerability in bash

CrankyOldBugger crankyoldbugger at gmail.com
Thu Sep 25 09:43:21 EDT 2014


I got:

:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

:~$ uname -a
Linux Quorra 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014
x86_64 x86_64 x86_64 GNU/Linux

This is on an Ubuntu 14.10 laptop.
So I guess I'm ok!




On 25 September 2014 09:35, Khalid Baheyeldin <kb at 2bits.com> wrote:

> The test for the vulnerability is typing this in a bash shell:
>
> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>
> If you get just "this is a test" with some warnings, then you are not
> vulnerable.
> If you get "vulnerable" as part of the output, then you are.
>
> Like many who run a Debian based distro, I use apticron to get email
> notifications of updates to the exact packages that I have installed. I got
> notified yesterday noon-ish of the update and got it installed.
>
> I did not need to reboot nor start the shells I have open in screen. The
> output of the test above says I am not vulnerable, but I did not do a
> before and after on the same machine (although a pristine virtual image
> does show it is vulnerable).
>
> So, don't think a shell restart is necessary based on the tests above. How
> is this done? I don't know. There are no shared libraries included in the
> package (dpkg -L bash).
>
> On Thu, Sep 25, 2014 at 1:05 AM, B.S. <bs27975 at yahoo.ca> wrote:
>
>> On Wed, 24 Sep 2014 23:21:57 -0400
>> "L.D. Paniak" <ldpaniak at fourpisolutions.com> wrote:
>>
>> > The list should be aware of a newly-announced and particularly nasty
>> > parsing bug with all versions of bash:
>> >
>> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>> >
>> > The combination of "network exploitable" and "authentication not
>> > required"  make this a "10" on the severity scale.
>> >
>> > Updated packages for current versions of Ubuntu look to have been
>> > pushed out earlier today:
>> > https://launchpad.net/ubuntu/+source/bash
>>
>> Presumably, at the least, a post-update logout/login will be necessary
>> on each machine, if not an entire reboot. (Care to trust that ALL
>> scripts run between turn on and user prompt use sh not bash? And that
>> sh hasn't been inadvertently equivalenced to bash?)
>>
>> Given that most of us probably have a command line up (outside of any
>> GUI too!), and thus in memory. Updating will catch any new instances,
>> but not those you're already in the middle of.
>>
>> I suppose this means rebooting all servers, too. <sigh?>
>>
>> I wonder if we should expect to see some further script updates to
>> follow. i.e. 'Inadvertent' taking advantage of 'hole' for non-nefarious
>> purposes now needing tweaking due to the update. (e.g. Things becoming
>> broken, albeit things originally written with the best of intentions.)
>>
>>
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
>
>
>
> --
> Khalid M. Baheyeldin
> 2bits.com, Inc.
> Fast Reliable Drupal
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. --   Leonardo da Vinci
> For every complex problem, there is an answer that is clear, simple, and
> wrong." -- H.L. Mencken
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140925/1eb2818a/attachment.htm>


More information about the kwlug-disc mailing list