On Sep 26, 2014, at 8:49 PM, Murray Blakeman wrote:
> Not sure if anyone is interested. For Solaris 11+.
>
> http://www.solarismultimedia.com/?q=node/108
>
> May not be good practice but it'll do for the moment.
>
> Regards
>
> Murray
A poorly fixed bash was updated yesterday when I did a "pkg update"
I say poorly fixed because the parser appears to bail out when it sees
anything funny rather than doing the proper thing which is to parse
correctly and process to the proper syntax error. The result is
someone will find a way to bypass this fix. I think this fix came
from the bash team.
-tim
>
> On 26/09/2014 09:43, McGinley, Ian R wrote:
>> Solaris 10 SPARC
>>
>> PRE Install of IDR
>> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>> vulnerable
>> this is a test
>>
>>
>>
>> POST INSTALL of IDR (no logout and no reboot)
>>
>> root@ccssapprfvs001[DHS-Stage1]# env X='() { (a)=>\' bash -c "echo
>> echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable "
>> bash: X: line 1: syntax error near unexpected token `='
>> bash: X: line 1: `'
>> bash: error importing function definition for `X'
>> echo vuln
>> cat: cannot open echo
>> root@ccssapprfvs001[DHS-Stage1]# env x='() { :;}; echo vulnerable'
>> bash -c "echo this is a test"
>> bash: warning: x: ignoring function definition attempt
>> bash: error importing function definition for `x'
>> this is a test
>>
>> Ian McGinley
>> Application Technology
>> Consumer and Digital - Online
>> 03 8647 2433
>> 0457 724 419
>>
>>
>> -----Original Message-----
>> From: Andre van Eyssen [mailto:[email protected]]
>> Sent: Friday, 26 September 2014 9:44 AM
>> To: McGinley, Ian R
>> Cc: Boyd Adamson; Andrew Watkins; [email protected]
>> Subject: Re: [msosug] bash vulnerability in Solaris?.
>>
>>
>> Ian -- you're doing a great job of keeping the list updated. For
>> the benefit of the subscriber base, can you update the list as
>> patches roll in?
>>
>> McGinley, Ian R wrote:
>>> Current info i’ve got:
>>>
>>>
>>>
>>> IDR’s are in test for
>>>
>>> Solaris 11.2 -> 11.2 SRU 2.5
>>>
>>> Solaris 11.1 -> Solaris 11.1 SRU 12.5
>>>
>>> Solaris 11.1 SRU 13.6 -> Solaris 11.1 SRU 21.4.1
>>>
>>>
>>>
>>> Solaris 10 (with dependency on 12654{6..7}-05 already in place)
>>>
>>>
>>>
>>> Solaris 9
>>>
>>>
>>>
>>> And Solaris 8 coming soon.
>>>
>>>
>>>
>>>
>>>
>>> Ian McGinley
>>>
>>> Application Technology
>>>
>>> Consumer and Digital - Online
>>>
>>> 03 8647 2433
>>>
>>> 0457 724 419
>>>
>>>
>>>
>>> *From:*Boyd Adamson [mailto:[email protected]]
>>> *Sent:* Thursday, 25 September 2014 6:55 PM
>>> *To:* Andrew Watkins
>>> *Cc:* [email protected]
>>> *Subject:* Re: [msosug] bash vulnerability in Solaris?.
>>>
>>>
>>>
>>> Will indeed be interesting to see what they do. Another aspect is
>>> that
>>> in the past Solaris 11 package updates have only ever been bundled
>>> into SRUs that also included reboot-requiring packages. If they
>>> continue this practice then we will be rebooting for an update that
>>> really only requires replacing a single binary, while our Linux
>>> systems are already upgraded without outage.
>>>
>>>
>>> On 25 Sep 2014, at 6:27 pm, Andrew Watkins <[email protected]
>>> <mailto:[email protected]>> wrote:
>>>
>>>
>>> Yes, we could all compile and install a new version or remove
>>> bash,
>>> but it will be interesting to see how Oracle handle it for
>>> all the
>>> Solaris 11 releases. Currently they only release patches for the
>>> latest version 11.2, so that is why I am interested in what they
>>> will do for this one.
>>>
>>> What happens in the Zero Day Security bug was in the Solaris
>>> 11.0
>>> kernel, so there is no way of you fixing it? Will they only
>>> release
>>> a patch for 11.2 or will they back port?
>>>
>>> Happy fixing.
>>>
>>> Andrew
>>>
>>>
>>>
>>> On 25/09/2014 09:18, Ben Couldrey wrote:
>>>
>>> We should all be running zsh anyway… (sorry Boyd, had to
>>> get in
>>> before you did)
>>>
>>>
>>>
>>> Ben
>>>
>>>
>>>
>>> On 25 Sep 2014, at 6:13 pm, Andrew Watkins
>>> <[email protected] <mailto:[email protected]>>
>>> wrote:
>>>
>>>
>>>
>>>
>>> It will be interesting if Oracle release a bash patch
>>> for
>>> all Solaris 11 versions (11, 11.1 and 11.2).
>>> Or will the force everyone to go to Solaris 11.2 SRU
>>> latest
>>>
>>> Andrew
>>>
>>> On 25/09/2014 08:21, McGinley, Ian R wrote:
>>>
>>> Log an SR asking for it.
>>>
>>>
>>>
>>> We’ve got one in the system for tracking internal
>>> change
>>> management purposes.
>>>
>>>
>>>
>>> In the mean time if it’s super dangerous for you,
>>> then
>>> pkgrm SUNWbash, or at least chmod 000 /bin/bash
>>>
>>>
>>>
>>>
>>>
>>> Ian McGinley
>>>
>>> Application Technology
>>>
>>> Consumer and Digital - Online
>>>
>>> 03 8647 2433
>>>
>>> 0457 724 419
>>>
>>>
>>>
>>> *From:*Tony Payne [mailto:[email protected]]
>>> *Sent:* Thursday, 25 September 2014 11:39 AM
>>> *To:* msosug
>>> *Subject:* [msosug] bash vulnerability in Solaris?.
>>>
>>>
>>>
>>> Hi All,
>>>
>>>
>>>
>>> I'm sure you've all heard about the bash
>>> vulnerability
>>> where: *"specially-crafted environment variables
>>> can be
>>> used to inject shell commands" unearthed by Stephane
>>> Chazelas very recently?.
>>>
>>>
>>>
>>> Many linux flavors have already released patches and
>>> according to the following test (see in full at:
>>> https://access.redhat.com/articles/1200223)
>>> Solaris 10
>>> at least appears to be vulnerable.
>>>
>>>
>>>
>>> =========================
>>>
>>>
>>> Diagnostic Steps
>>>
>>> To test if your version of Bash is vulnerable to
>>> this
>>> issue, run the following command:
>>>
>>> $ env x='() { :;}; echo vulnerable' bash -c "echo
>>> this is a test"
>>>
>>> If the output of the above command looks as follows:
>>>
>>> vulnerable
>>>
>>> this is a test
>>>
>>> you are using a vulnerable version of Bash. The
>>> patch
>>> used to fix this issue ensures that no code is
>>> allowed
>>> after the end of a Bash function. Thus, if you run
>>> the
>>> above example with the patched version of Bash, you
>>> should get an output similar to:
>>>
>>> $ env x='() { :;}; echo vulnerable' bash -c "echo
>>> this is a test"
>>>
>>> bash: warning: x: ignoring function definition
>>> attempt
>>>
>>> bash: error importing function definition for `x'
>>>
>>> this is a test
>>>
>>> =========================
>>>
>>>
>>>
>>>
>>>
>>> Does anyone know if there is, or is planned, a
>>> patch for
>>> Solaris' bash implementation?.
>>>
>>>
>>>
>>>
>>>
>>> *
>>>
>>> https://access.redhat.com/security/cve/CVE-2014-6271?sc_cid=70160000000e8eaAAA&;
>>>
>>> <https://access.redhat.com/security/cve/CVE-2014-6271?sc_cid=701600000
>>> 00e8eaAAA&>
>>>
>>>
>>>
>>> --
>>> Cheers,
>>>
>>> Tony.
>>> \|/ ____ \|/
>>> @~/ ,. \~@
>>> /_( \__/ )_\
>>>
>>> +------------------------------
>>> \__U_/---------------------------------
>>> -+
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>> msosug mailing list
>>>
>>> [email protected]
>>> <mailto:[email protected]>
>>>
>>> http://mexico.purplecow.org/m/listinfo/msosug
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Andrew Watkins * Birkbeck, University of London *
>>> Computer
>>> Science *
>>>
>>> * UKOUG Solaris SIG Co-Chair *
>>>
>>> http://notallmicrosoft.blogspot.com/
>>>
>>> _______________________________________________
>>> msosug mailing list
>>> [email protected] <mailto:[email protected]
>>> >
>>> http://mexico.purplecow.org/m/listinfo/msosug
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Andrew Watkins * Birkbeck, University of London * Computer
>>> Science
>>> *
>>>
>>> * UKOUG Solaris SIG Co-Chair *
>>>
>>> http://notallmicrosoft.blogspot.com/
>>>
>>> _______________________________________________
>>> msosug mailing list
>>> [email protected] <mailto:[email protected]>
>>> http://mexico.purplecow.org/m/listinfo/msosug
>>>
>>> _______________________________________________
>>> msosug mailing list
>>> [email protected]
>>> http://mexico.purplecow.org/m/listinfo/msosug
>>
>> --
>> Andre van Eyssen
>> mail: [email protected] (alt: [email protected])
>> purplecow.org: UNIX for the masses http://www2.purplecow.org
>> purplecow.org: PCOWpix http://pix.purplecow.org
>>
>> _______________________________________________
>> msosug mailing list
>> [email protected]
>> http://mexico.purplecow.org/m/listinfo/msosug
>>
>>
>
>
> _______________________________________________
> msosug mailing list
> [email protected]
> http://mexico.purplecow.org/m/listinfo/msosug
>
_______________________________________________
msosug mailing list
[email protected]
http://mexico.purplecow.org/m/listinfo/msosug
