Bash Remote Code Execution Vulnerability

Talking about SolydXK, another distribution or totally off-topic but within the Rules ? It's the right place!
duped
Posts: 43
Joined: 17 Jan 2014 17:29
Location: Quebec, Canada

Bash Remote Code Execution Vulnerability

Postby duped » 25 Sep 2014 13:31

Scary, we are not used to such things

https://www.us-cert.gov/ncas/current-ac ... nerability


Fargo
Posts: 896
Joined: 17 Sep 2013 14:40

Re: Bash Remote Code Execution Vulnerability

Postby Fargo » 25 Sep 2014 14:23

Yeah, I had a friend I set up with Linux call me last night in a panic about this. I really don't know how much of a concern it is. It sounds like it was patched pretty quickly, I haven't updated yet, but I assume the patch is already in the Debian repos.

It also looked like it was more of an issue with servers. From some of my research I got the impression that desktops used something different than bash. Hopefully someone more knowledgeable will chime in.

EDIT: Just did an update and their is a bash update in the Business Edition. I'm not sure if thats the patch or something else though.

User avatar
zerozero
Posts: 5373
Joined: 10 Feb 2013 23:37
Location: West Midlands, England
Contact:

Re: Bash Remote Code Execution Vulnerability

Postby zerozero » 25 Sep 2014 15:02

bash is already patched in the BE with version 4.2+dfsg-0.1+deb7u1 [https://security-tracker.debian.org/tra ... -2014-6271 ]
you can check that running

Code: Select all

aptitude changelog bash
and the first entry should be

Code: Select all

bash (4.2+dfsg-0.1+deb7u1) wheezy-security; urgency=high

  * Apply patch from Chet Ramey to fix CVE-2014-6271.

 -- Florian Weimer <hidden e-mail address>  Tue, 16 Sep 2014 21:28:27 +0200
at the same time, version 4.3-9.1 patches the vulnerability in sid and is migrating to testing today
>> https://packages.qa.debian.org/b/bash.html
bliss of ignorance

User avatar
just
Posts: 297
Joined: 07 Nov 2013 08:06
Location: Rovaniemi, Finland

Re: Bash Remote Code Execution Vulnerability

Postby just » 25 Sep 2014 15:06

Fargo wrote:
... Just did an update and their is a bash update in the Business Edition. I'm not sure if thats the patch or something else though.
some systems are already received the bash update.

to quicky check if the system is affected by this vulnerability execute in terminal:

Code: Select all

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  • if the system is (still) vulnerable, there will be these lines in output:

    Code: Select all

    vulnerable
    this is a test
  • if the system is not vulnerable (anymore), there will be this "error" message in output:

    Code: Select all

    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test
an example on my current box (it is not solydxk):

Code: Select all

just@alexfac:~> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
just@alexfac:~> 
this system is still vulnerable, it didn't receive the bash update yet.

Fargo
Posts: 896
Joined: 17 Sep 2013 14:40

Re: Bash Remote Code Execution Vulnerability

Postby Fargo » 25 Sep 2014 16:46

zerozero wrote:bash is already patched in the BE with version 4.2+dfsg-0.1+deb7u1 [https://security-tracker.debian.org/tra ... -2014-6271]
I love the business edition. Anytime one of these little things come up its always patched right away. Sooner than testing in my observation. Its obvious the goal of Debian is the Stable edition. I think SolydXK users will be happy when everything is running on Stable. (Not that waiting one day for the patch to hit testing is really bad. I still haven't heard if Apple has a patch yet)

User avatar
grizzler
Posts: 2217
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Bash Remote Code Execution Vulnerability

Postby grizzler » 25 Sep 2014 17:05

The fix triggered by CVE-2014-6271 (which appears to be insufficient, by the way...) is already in Testing as well and will hopefully be followed by a fix for CVE-2014-7169.

I'll upload bash 4.3-9.1 to the Security Repository within the hour.
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
zerozero
Posts: 5373
Joined: 10 Feb 2013 23:37
Location: West Midlands, England
Contact:

Re: Bash Remote Code Execution Vulnerability

Postby zerozero » 25 Sep 2014 17:15

oops :D Frank edited the post above while i was posting
===
4.3-9.1 is already in testing fixing the first CVE
snapshot308.png
snapshot308.png (43.26 KiB) Viewed 2229 times

Code: Select all

The following packages will be upgraded:
  bash
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,171 kB of archives.
After this operation, 358 kB disk space will be freed.
Do you want to continue? [Y/n] Y
Get:1 http://ftp.debian.org/debian/ testing/main bash amd64 4.3-9.1 [1,171 kB]
bliss of ignorance

Deleted User 2764

Re: Bash Remote Code Execution Vulnerability

Postby Deleted User 2764 » 27 Sep 2014 13:10

I had to update the server at work because of this too. The boss emailed me to do this, which is unusual as he never gets so concerned that he would email me about security patches. Usually I'm emailing him since any updates/upgrades have to get his permission first before they can be applied.

I updated my T61. I'm using that now because yet again, the corner broke on my HP. Friend has it for the weekend (or as long as it takes to glue it back together - broke in another place). When I get that machine back I'll be applying the updates there too. I also will wait until then to patch my VMs (since I probably won't need them until then anyway). I already have one VM patched though - one I needed over the weekend.

I assume that the security threads in this forum will keep us updated on what the security updates are? I uninstalled the UM and do my updates manually now (usually when something catches my attention or I think of it).

Deleted User 2764

Re: Bash Remote Code Execution Vulnerability

Postby Deleted User 2764 » 27 Sep 2014 13:12

I mean updated. Too lazy to correct all the instances of "patched" to "updated". :roll:


Return to “Open Chat / General Discussion”

Who is online

Users browsing this forum: No registered users and 4 guests