Two releases since the IDR was applied on Friday. [email protected]:~$ pkg list -af bash NAME (PUBLISHER) VERSION IFO shell/bash 4.1.11-0.175.2.2.0.8.0 --- shell/bash 4.1.11-0.175.2.2.0.7.0 --- shell/bash 4.1.11-0.175.2.0.0.42.1.1399.1 i-- shell/bash 4.1.11-0.175.2.0.0.42.1 ---
Ian McGinley Application Technology Consumer and Digital - Online 03 8647 2433 0457 724 419 -----Original Message----- From: Tim Hogard [mailto:[email protected]] Sent: Saturday, 27 September 2014 10:21 PM To: Tim Hogard Cc: [email protected] Subject: Re: [msosug] bash vulnerability in Solaris?. pkg update sent a 2nd version of bash just moments ago. On my t5120 toybox running 11.2: # cp /usr/bin/bash /tmp # pkg update # ls -l /usr/bin/bash /tmp/bash -r-xr-xr-x 1 root root 1245760 Sep 27 22:14 /tmp/bash -r-xr-xr-x 1 root bin 1245752 Sep 27 22:15 /usr/bin/bash # md5sum /usr/bin/bash /tmp/bash a08d7d8081e345081cb2c72c0c5f8ff7 /usr/bin/bash fce382e2c5794e38434d152e811f17d7 /tmp/bash -tim On Sep 27, 2014, at 10:14 AM, Tim Hogard wrote: > > On Sep 26, 2014, at 8:49 PM, Murray Blakeman wrote: > >> Not sure if anyone is interested. For Solaris 11+. >> >> http://www.solarismultimedia.com/?q=node/108 >> >> May not be good practice but it'll do for the moment. >> >> Regards >> >> Murray > > A poorly fixed bash was updated yesterday when I did a "pkg update" > > I say poorly fixed because the parser appears to bail out when it sees > anything funny rather than doing the proper thing which is to parse > correctly and process to the proper syntax error. The result is > someone will find a way to bypass this fix. I think this fix came > from the bash team. > > -tim > > >> >> On 26/09/2014 09:43, McGinley, Ian R wrote: >>> Solaris 10 SPARC >>> >>> PRE Install of IDR >>> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" >>> vulnerable >>> this is a test >>> >>> >>> >>> POST INSTALL of IDR (no logout and no reboot) >>> >>> root@ccssapprfvs001[DHS-Stage1]# env X='() { (a)=>\' bash -c "echo >>> echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable >>> " >>> bash: X: line 1: syntax error near unexpected token `=' >>> bash: X: line 1: `' >>> bash: error importing function definition for `X' >>> echo vuln >>> cat: cannot open echo >>> root@ccssapprfvs001[DHS-Stage1]# env x='() { :;}; echo vulnerable' >>> bash -c "echo this is a test" >>> bash: warning: x: ignoring function definition attempt >>> bash: error importing function definition for `x' >>> this is a test >>> >>> Ian McGinley >>> Application Technology >>> Consumer and Digital - Online >>> 03 8647 2433 >>> 0457 724 419 >>> >>> >>> -----Original Message----- >>> From: Andre van Eyssen [mailto:[email protected]] >>> Sent: Friday, 26 September 2014 9:44 AM >>> To: McGinley, Ian R >>> Cc: Boyd Adamson; Andrew Watkins; [email protected] >>> Subject: Re: [msosug] bash vulnerability in Solaris?. >>> >>> >>> Ian -- you're doing a great job of keeping the list updated. For the >>> benefit of the subscriber base, can you update the list as patches >>> roll in? >>> >>> McGinley, Ian R wrote: >>>> Current info i've got: >>>> >>>> >>>> >>>> IDR's are in test for >>>> >>>> Solaris 11.2 -> 11.2 SRU 2.5 >>>> >>>> Solaris 11.1 -> Solaris 11.1 SRU 12.5 >>>> >>>> Solaris 11.1 SRU 13.6 -> Solaris 11.1 SRU 21.4.1 >>>> >>>> >>>> >>>> Solaris 10 (with dependency on 12654{6..7}-05 already in place) >>>> >>>> >>>> >>>> Solaris 9 >>>> >>>> >>>> >>>> And Solaris 8 coming soon. >>>> >>>> >>>> >>>> >>>> >>>> Ian McGinley >>>> >>>> Application Technology >>>> >>>> Consumer and Digital - Online >>>> >>>> 03 8647 2433 >>>> >>>> 0457 724 419 >>>> >>>> >>>> >>>> *From:*Boyd Adamson [mailto:[email protected]] >>>> *Sent:* Thursday, 25 September 2014 6:55 PM >>>> *To:* Andrew Watkins >>>> *Cc:* [email protected] >>>> *Subject:* Re: [msosug] bash vulnerability in Solaris?. >>>> >>>> >>>> >>>> Will indeed be interesting to see what they do. Another aspect is >>>> that in the past Solaris 11 package updates have only ever been >>>> bundled into SRUs that also included reboot-requiring packages. If >>>> they continue this practice then we will be rebooting for an update >>>> that really only requires replacing a single binary, while our >>>> Linux systems are already upgraded without outage. >>>> >>>> >>>> On 25 Sep 2014, at 6:27 pm, Andrew Watkins <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> >>>> Yes, we could all compile and install a new version or remove >>>> bash, >>>> but it will be interesting to see how Oracle handle it for all >>>> the >>>> Solaris 11 releases. Currently they only release patches for the >>>> latest version 11.2, so that is why I am interested in what they >>>> will do for this one. >>>> >>>> What happens in the Zero Day Security bug was in the Solaris >>>> 11.0 >>>> kernel, so there is no way of you fixing it? Will they only >>>> release >>>> a patch for 11.2 or will they back port? >>>> >>>> Happy fixing. >>>> >>>> Andrew >>>> >>>> >>>> >>>> On 25/09/2014 09:18, Ben Couldrey wrote: >>>> >>>> We should all be running zsh anyway... (sorry Boyd, had to get >>>> in >>>> before you did) >>>> >>>> >>>> >>>> Ben >>>> >>>> >>>> >>>> On 25 Sep 2014, at 6:13 pm, Andrew Watkins >>>> <[email protected] <mailto:[email protected]>> >>>> wrote: >>>> >>>> >>>> >>>> >>>> It will be interesting if Oracle release a bash patch >>>> for >>>> all Solaris 11 versions (11, 11.1 and 11.2). >>>> Or will the force everyone to go to Solaris 11.2 SRU >>>> latest >>>> >>>> Andrew >>>> >>>> On 25/09/2014 08:21, McGinley, Ian R wrote: >>>> >>>> Log an SR asking for it. >>>> >>>> >>>> >>>> We've got one in the system for tracking internal >>>> change >>>> management purposes. >>>> >>>> >>>> >>>> In the mean time if it's super dangerous for you, >>>> then >>>> pkgrm SUNWbash, or at least chmod 000 /bin/bash >>>> >>>> >>>> >>>> >>>> >>>> Ian McGinley >>>> >>>> Application Technology >>>> >>>> Consumer and Digital - Online >>>> >>>> 03 8647 2433 >>>> >>>> 0457 724 419 >>>> >>>> >>>> >>>> *From:*Tony Payne [mailto:[email protected]] >>>> *Sent:* Thursday, 25 September 2014 11:39 AM >>>> *To:* msosug >>>> *Subject:* [msosug] bash vulnerability in Solaris?. >>>> >>>> >>>> >>>> Hi All, >>>> >>>> >>>> >>>> I'm sure you've all heard about the bash >>>> vulnerability >>>> where: *"specially-crafted environment variables can >>>> be >>>> used to inject shell commands" unearthed by Stephane >>>> Chazelas very recently?. >>>> >>>> >>>> >>>> Many linux flavors have already released patches and >>>> according to the following test (see in full at: >>>> https://access.redhat.com/articles/1200223) >>>> Solaris 10 >>>> at least appears to be vulnerable. >>>> >>>> >>>> >>>> ========================= >>>> >>>> >>>> Diagnostic Steps >>>> >>>> To test if your version of Bash is vulnerable to >>>> this >>>> issue, run the following command: >>>> >>>> $ env x='() { :;}; echo vulnerable' bash -c "echo >>>> this is a test" >>>> >>>> If the output of the above command looks as follows: >>>> >>>> vulnerable >>>> >>>> this is a test >>>> >>>> you are using a vulnerable version of Bash. The >>>> patch >>>> used to fix this issue ensures that no code is >>>> allowed >>>> after the end of a Bash function. Thus, if you run >>>> the >>>> above example with the patched version of Bash, you >>>> should get an output similar to: >>>> >>>> $ env x='() { :;}; echo vulnerable' bash -c "echo >>>> this is a test" >>>> >>>> bash: warning: x: ignoring function definition >>>> attempt >>>> >>>> bash: error importing function definition for `x' >>>> >>>> this is a test >>>> >>>> ========================= >>>> >>>> >>>> >>>> >>>> >>>> Does anyone know if there is, or is planned, a patch >>>> for >>>> Solaris' bash implementation?. >>>> >>>> >>>> >>>> >>>> >>>> * >>>> >>>> https://access.redhat.com/security/cve/CVE-2014-6271?sc_cid=7016000 >>>> 0000e8eaAAA& >>>> >>>> <https://access.redhat.com/security/cve/CVE-2014-6271?sc_cid=701600 >>>> 000 >>>> 00e8eaAAA&> >>>> >>>> >>>> >>>> -- >>>> Cheers, >>>> >>>> Tony. >>>> \|/ ____ \|/ >>>> @~/ ,. \~@ >>>> /_( \__/ )_\ >>>> >>>> +------------------------------ >>>> \__U_/--------------------------------- >>>> -+ >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> >>>> msosug mailing list >>>> >>>> [email protected] >>>> <mailto:[email protected]> >>>> >>>> http://mexico.purplecow.org/m/listinfo/msosug >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> Andrew Watkins * Birkbeck, University of London * >>>> Computer Science * >>>> >>>> * UKOUG Solaris SIG Co-Chair * >>>> >>>> http://notallmicrosoft.blogspot.com/ >>>> >>>> _______________________________________________ >>>> msosug mailing list >>>> [email protected] >>>> <mailto:[email protected] >>>>> >>>> http://mexico.purplecow.org/m/listinfo/msosug >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> Andrew Watkins * Birkbeck, University of London * Computer >>>> Science >>>> * >>>> >>>> * UKOUG Solaris SIG Co-Chair * >>>> >>>> http://notallmicrosoft.blogspot.com/ >>>> >>>> _______________________________________________ >>>> msosug mailing list >>>> [email protected] <mailto:[email protected]> >>>> http://mexico.purplecow.org/m/listinfo/msosug >>>> >>>> _______________________________________________ >>>> msosug mailing list >>>> [email protected] >>>> http://mexico.purplecow.org/m/listinfo/msosug >>> >>> -- >>> Andre van Eyssen >>> mail: [email protected] (alt: [email protected]) >>> purplecow.org: UNIX for the masses http://www2.purplecow.org >>> purplecow.org: PCOWpix http://pix.purplecow.org >>> >>> _______________________________________________ >>> msosug mailing list >>> [email protected] >>> http://mexico.purplecow.org/m/listinfo/msosug >>> >>> >> >> >> _______________________________________________ >> msosug mailing list >> [email protected] >> http://mexico.purplecow.org/m/listinfo/msosug >> > > > _______________________________________________ > msosug mailing list > [email protected] > http://mexico.purplecow.org/m/listinfo/msosug > _______________________________________________ msosug mailing list [email protected] http://mexico.purplecow.org/m/listinfo/msosug _______________________________________________ msosug mailing list [email protected] http://mexico.purplecow.org/m/listinfo/msosug
