[kwlug-disc] Vulnerability in bash
Khalid Baheyeldin
kb at 2bits.com
Thu Sep 25 09:46:28 EDT 2014
Yes, you are OK.
Same output as I am having on 14.04 and 12.04.
On Thu, Sep 25, 2014 at 9:43 AM, CrankyOldBugger <crankyoldbugger at gmail.com>
wrote:
> I got:
>
> :~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> bash: warning: x: ignoring function definition attempt
> bash: error importing function definition for `x'
> this is a test
>
> :~$ uname -a
> Linux Quorra 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014
> x86_64 x86_64 x86_64 GNU/Linux
>
> This is on an Ubuntu 14.10 laptop.
> So I guess I'm ok!
>
>
>
>
> On 25 September 2014 09:35, Khalid Baheyeldin <kb at 2bits.com> wrote:
>
>> The test for the vulnerability is typing this in a bash shell:
>>
>> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>>
>> If you get just "this is a test" with some warnings, then you are not
>> vulnerable.
>> If you get "vulnerable" as part of the output, then you are.
>>
>> Like many who run a Debian based distro, I use apticron to get email
>> notifications of updates to the exact packages that I have installed. I got
>> notified yesterday noon-ish of the update and got it installed.
>>
>> I did not need to reboot nor start the shells I have open in screen. The
>> output of the test above says I am not vulnerable, but I did not do a
>> before and after on the same machine (although a pristine virtual image
>> does show it is vulnerable).
>>
>> So, don't think a shell restart is necessary based on the tests above.
>> How is this done? I don't know. There are no shared libraries included in
>> the package (dpkg -L bash).
>>
>> On Thu, Sep 25, 2014 at 1:05 AM, B.S. <bs27975 at yahoo.ca> wrote:
>>
>>> On Wed, 24 Sep 2014 23:21:57 -0400
>>> "L.D. Paniak" <ldpaniak at fourpisolutions.com> wrote:
>>>
>>> > The list should be aware of a newly-announced and particularly nasty
>>> > parsing bug with all versions of bash:
>>> >
>>> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>>> >
>>> > The combination of "network exploitable" and "authentication not
>>> > required" make this a "10" on the severity scale.
>>> >
>>> > Updated packages for current versions of Ubuntu look to have been
>>> > pushed out earlier today:
>>> > https://launchpad.net/ubuntu/+source/bash
>>>
>>> Presumably, at the least, a post-update logout/login will be necessary
>>> on each machine, if not an entire reboot. (Care to trust that ALL
>>> scripts run between turn on and user prompt use sh not bash? And that
>>> sh hasn't been inadvertently equivalenced to bash?)
>>>
>>> Given that most of us probably have a command line up (outside of any
>>> GUI too!), and thus in memory. Updating will catch any new instances,
>>> but not those you're already in the middle of.
>>>
>>> I suppose this means rebooting all servers, too. <sigh?>
>>>
>>> I wonder if we should expect to see some further script updates to
>>> follow. i.e. 'Inadvertent' taking advantage of 'hole' for non-nefarious
>>> purposes now needing tweaking due to the update. (e.g. Things becoming
>>> broken, albeit things originally written with the best of intentions.)
>>>
>>>
>>> _______________________________________________
>>> kwlug-disc mailing list
>>> kwlug-disc at kwlug.org
>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>
>>
>>
>>
>> --
>> Khalid M. Baheyeldin
>> 2bits.com, Inc.
>> Fast Reliable Drupal
>> Drupal optimization, development, customization and consulting.
>> Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
>> Simplicity is the ultimate sophistication. -- Leonardo da Vinci
>> For every complex problem, there is an answer that is clear, simple, and
>> wrong." -- H.L. Mencken
>>
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
>>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
--
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- Leonardo da Vinci
For every complex problem, there is an answer that is clear, simple, and
wrong." -- H.L. Mencken
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140925/867f333a/attachment.htm>
More information about the kwlug-disc
mailing list