Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 09/25/2014 at 11:16 AM, The Wanderer wrote: On 09/24/2014 at 04:52 PM, Steve Litt wrote: Hi everyone, Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) https://access.redhat.com/articles/1200223 Does anyone know if there's an fix for Debian's bash, and how to install it? As already noted, there's been a debian-security-announce alert about this, for a fix in wheezy. For testing, I don't know how comprehensive it is, but I ran a variant of that same test on my system (with bash 4.3.9) and got a successful pass - no vulnerability indicated. For the record: this was a false negative. I somehow failed to notice that the variant in question invoked /bin/sh instead of bash... A quick test also indicates that, as mostly expected, dash (the Debian Almquist shell, which provides /bin/sh by default in current Debian) is apparently not affected. ...which, because of this, of course did not indicate vulnerability. The same test with bash instead of /bin/sh shows 4.3-9 as vulnerable, as expected. - -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJUJVg0AAoJEASpNY00KDJrrmEP/inEcELZMzELPmv9qARZC3Al 25SNW2TrCGvlCs0ixrFkCB33qz6Tgx2LBwjVtt+cyY5fAOG0mPM5EVf7MmBxQjT7 URhEiGpB1j/tcX94rMii8rN8vuzKq7rO67MwuprKMuOtgTCiknMC8nuOGxF+FexB HMMdY0skF2oqLeQn4ynwsBLnTlf5lCsjtSQCAiZy3HRue4t5KtJIpFJBnwSXmXIs Pxnr3ZTWuaYIYnGa2DTRMgaKVmxIpkoosaYHg5nCyhKL743d7yGvsiTZzOF2VzEI y+sSRJIMI7FihRAzS5qpqvVSYJxLHWPhyas5miJ7PgU+YS+EveF+cuSsMubm05Mh jQbVEO57K1eoEFTib7o0byVtuYKlKddhp3IORRAS+OXNaImHwxr3CK1SNNwFCjRP 1InfzAoTAiBjZHh9im4Hhc3U8FOeEU9e2x06zc/UCpIAHtuLxquz2hx1bED1qmC+ 4AnMqsc4EZzmEQBgFZFUM9xdPYoc0IYG0T8xdUCBHLaC9DTgAKna86GQjKrxH32W Z+UqSNK0MzTKyFLj8Ktsf8SubJ4+hj6619EgASaKRLZReJxsgERWs3Ep6tBNdX/l Ose6CyX6CCnx1NMonB/RUQk7o+c8nRayCc0FzFqgUkruBJTyIpDPrpLd2Lqbaggi Zq8B4qUwM0g65y15OX0h =0aJi -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54255834.5040...@fastmail.fm
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
According to https://secure.dshield.org/forums/diary/Attention+NIX+admins+time+to+patch/18703: Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. https://access.redhat.com/articles/1200223 According to the article at redhat, only bash is vulnerable, so (if you do not have homegrown bashisms in shells with #!/bin/sh as first line) you should check that ls -l /bin/sh gives /bin/sh - dash, and do dpkg-reconfigure dash if it does not. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5423c1c4.1090...@alstadheim.priv.no
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271
On Wed, Sep 24, 2014 at 04:25:58PM -0500, John Hasler wrote: Mailing list: debian-security-annou...@lists.debian.org You should be subscribed. I'd just like to re-iterate this. *EVERY* debian user should subscribe to that list. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140925091029.GA19619@debian
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Hello This weakness than is sufficient to protect them do as follows. apt-get update and apt-get install --only-package bash On Thu, Sep 25, 2014 at 10:18 AM, Håkon Alstadheim ha...@alstadheim.priv.no wrote: According to https://secure.dshield.org/forums/diary/Attention+NIX+admins+time+to+patch/18703: Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. https://access.redhat.com/articles/1200223 According to the article at redhat, only bash is vulnerable, so (if you do not have homegrown bashisms in shells with #!/bin/sh as first line) you should check that ls -l /bin/sh gives /bin/sh - dash, and do dpkg-reconfigure dash if it does not. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5423c1c4.1090...@alstadheim.priv.no -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cahg8tecx7n-f5n8gznsd6b7rprbbkvxwzpjjukshbmqo3pc...@mail.gmail.com
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 09/24/2014 at 04:52 PM, Steve Litt wrote: Hi everyone, Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) https://access.redhat.com/articles/1200223 My current Debian setup is vulnerable, as shown below: == slitt@mydesq2:~$ env x='() { :;}; \ echo vulnerable' bash -c echo this is a test vulnerable this is a test slitt@mydesq2:~$ bash --version GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu) == Does anyone know if there's an fix for Debian's bash, and how to install it? As already noted, there's been a debian-security-announce alert about this, for a fix in wheezy. For testing, I don't know how comprehensive it is, but I ran a variant of that same test on my system (with bash 4.3.9) and got a successful pass - no vulnerability indicated. Online reports have indicated that bash 4.3.x is affected, and I haven't updated bash since before these reports hit, so I don't know what the true shape of the picture is. The data point seemed potentially worth mentioning, however. A quick test also indicates that, as mostly expected, dash (the Debian Almquist shell, which provides /bin/sh by default in current Debian) is apparently not affected. - -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJUJDHXAAoJEASpNY00KDJrUe4P/R1Ig/NIu8bCLK1VShZw1EFO /uEOdF493V59keDZ3pFtnkXYsKhDQN8wEAqiVOEn19b90Q/qBGztiXXhPONSceeT 2+mYoyx7GuMkVHnTFFU8l5IPJK3sHPyQI03QTx93m6QRA0+t5ebY5e2BSIXTwM0g DZl6kZDMoonDbrbl92H6N0BjkJ9AS69W2Gx4hG/+cn7C0tK7JRAjlBvv53yACqTv hI5ZGtDcJbPGXl7RkXRxxFfry5lF4lbcRZ0pqocYqVuR/caZdrLeEKS66+dnWozh zcf+dEIXoJA1oVtCg0b2qnO+G8i2q6sFq5CF73P7UOg5qLYDwIzG8eUXMm6pe1fg oaLyJoDx1SojOmmLwGpCiRayM/bUPDmctigp0RKiF6iwIg5aIMHnVNdKGUvSVxFt Fa+znubtTAxXXeyQa64pCBwbTIefr2LxRh+EipA9tNF4PTudoKRiDemjFLZB4xoV sOLF78PZzXPso1ZKAlPFOWAPgFA14NKkIzSPESNmtqWFdUAhMeU1Sr/Z8opWDMTV 0ys8w3lOstfTGlFCQKdwqQ5lTeBvEjlsY2ZfpmmufrXfgIF26XI+hvLZ9IlSZOhr IjQl365u/GnxxbchxrtjlcsQNjmwpH+8i88Sagd0syd2GehcJF0/XYlT9akfCRwS TKYP3Nkp/zZhdA54LnXc =fq05 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/542431d8.4050...@fastmail.fm
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
By default I have seemingly assumed sysadmin duties for a host running Debian 6.0.7 (squeeze). So (not having done a lot of this before) ... 1) the system bash is vulnerable env x='() { :;}; echo vulnerable' bash -c echo this is a test vulnerable this is a test 2) bash is version 4.1.5 host: bash --version GNU bash, version 4.1.5(1)-release (i486-pc-linux-gnu) 3) There are no upgrades $ apt-get install bash Reading package lists... Done Building dependency tree Reading state information... Done bash is already the newest version. Would you mind recommending how best I should proceed? Thank you, Joe Loiacono
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
On Thu 25 Sep 2014 at 13:59:40 -0400, Joe Loiacono wrote: By default I have seemingly assumed sysadmin duties for a host running Debian 6.0.7 (squeeze). So (not having done a lot of this before) ... https://wiki.debian.org/LTS/Using https://wiki.debian.org/LTS https://wiki.debian.org/LTS/FAQ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/25092014190622.2411067a3...@desktop.copernicus.demon.co.uk
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
On Thursday, September 25, 2014 13:59:40 Joe Loiacono wrote: By default I have seemingly assumed sysadmin duties for a host running Debian 6.0.7 (squeeze). So (not having done a lot of this before) ... 1) the system bash is vulnerable env x='() { :;}; echo vulnerable' bash -c echo this is a test vulnerable this is a test 2) bash is version 4.1.5 host: bash --version GNU bash, version 4.1.5(1)-release (i486-pc-linux-gnu) 3) There are no upgrades $ apt-get install bash Reading package lists... Done Building dependency tree Reading state information... Done bash is already the newest version. Would you mind recommending how best I should proceed? Thank you, Joe Loiacono Joe - I updated my Squeeze box this morning. Try as root: apt-get update then --- apt-get upgrade Mike -- Mike McGinn KD2CNU Be happy that brainfarts don't smell. No electrons were harmed in sending this message, some were inconvenienced. ** Registered Linux User 377849 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201409251411.44006.mikemcg...@mcginnweb.net
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Brian a...@cityscape.co.uk wrote on 09/25/2014 02:08:15 PM: From: Brian a...@cityscape.co.uk To: debian-user@lists.debian.org Date: 09/25/2014 02:08 PM Subject: Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) On Thu 25 Sep 2014 at 13:59:40 -0400, Joe Loiacono wrote: By default I have seemingly assumed sysadmin duties for a host running Debian 6.0.7 (squeeze). So (not having done a lot of this before) ... https://wiki.debian.org/LTS/Using https://wiki.debian.org/LTS https://wiki.debian.org/LTS/FAQ Thank you! This worked great. Joe
Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Hi everyone, Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) https://access.redhat.com/articles/1200223 My current Debian setup is vulnerable, as shown below: == slitt@mydesq2:~$ env x='() { :;}; \ echo vulnerable' bash -c echo this is a test vulnerable this is a test slitt@mydesq2:~$ uname -a Linux mydesq2 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64 GNU/Linux slitt@mydesq2:~$ cat /etc/issue Debian GNU/Linux 7 \n \l slitt@mydesq2:~$ bash --version GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu) Copyright (C) 2011 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. slitt@mydesq2:~$ == Does anyone know if there's an fix for Debian's bash, and how to install it? Thanks, SteveT Steve Litt* http://www.troubleshooters.com/ Troubleshooting Training * Human Performance -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140924165250.2351e...@mydesq2.domain.cxm
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
On 24/09/14 21:52, Steve Litt wrote: Hi everyone, Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) https://access.redhat.com/articles/1200223 My current Debian setup is vulnerable, as shown below: == slitt@mydesq2:~$ env x='() { :;}; \ echo vulnerable' bash -c echo this is a test vulnerable this is a test slitt@mydesq2:~$ uname -a Linux mydesq2 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64 GNU/Linux slitt@mydesq2:~$ cat /etc/issue Debian GNU/Linux 7 \n \l env x='() { :;}; \ echo vulnerable' bash -c echo this is a test bash: line 1: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test 21:58:57 shihad:$ uname -a Linux shihad 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64 GNU/Linux 21:59:09 shihad:$ cat /etc/issue Debian GNU/Linux 7 \n \l bash --version GNU bash, version 4.3.24(1)-release (x86_64-pc-linux-gnu) Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Did you try apt-get update apt-get upgrade yet? That should fix you right up as long as your mirror is up to date Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54233116.6080...@thargoid.co.uk
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271
- Debian Security Advisory DSA-3032-1 secur...@debian.org http://www.debian.org/security/Florian Weimer September 24, 2014 http://www.debian.org/security/faq - Package: bash CVE ID : CVE-2014-6271 Stephane Chazelas discovered a vulnerability in bash, the GNU Bourne-Again Shell, related to how environment variables are processed. In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell. For the stable distribution (wheezy), this problem has been fixed in version 4.2+dfsg-0.1+deb7u1. We recommend that you upgrade your bash packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org You should be subscribed. -- John Hasler jhas...@newsguy.com Elmwood, WI USA -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87iokcbti1@thumper.dhh.gt.org
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271
On Wed, 24 Sep 2014 16:25:58 -0500 John Hasler jhas...@newsguy.com wrote: [snip] Package: bash CVE ID : CVE-2014-6271 Stephane Chazelas discovered a vulnerability in bash, [snip] For the stable distribution (wheezy), this problem has been fixed in version 4.2+dfsg-0.1+deb7u1. [snip] frequently asked questions can be found at: https://www.debian.org/security/ Festive! The instructions (specifically apt-get update apt-get upgrade) fixed my problem, as shown below! slitt@mydesq2:~$ env x='() { :;}; echo vulnerable' bash -c echo this is a test bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test slitt@mydesq2:~$ Thank you! I was worried about that. SteveT Steve Litt* http://www.troubleshooters.com/ Troubleshooting Training * Human Performance -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140924182513.1eb52...@mydesq2.domain.cxm
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
On Wed 24 Sep 2014 at 16:52:50 -0400, Steve Litt wrote: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) https://access.redhat.com/articles/1200223 [Snip] Nearly 50 minutes before your mail we had: To: debian-user@lists.debian.org From: Iain M Conochie i...@thargoid.co.uk Subject: bad bash bug Received: from bendel.debian.org ([127.0.0.1]) by localhost (lists.debian.org [127.0.0.1]) (amavisd-new, port 2525) with ESMTP id nEctwXCEm6Rb for lists-debian-u...@bendel.debian.org; Wed, 24 Sep 2014 20:07:06 + (UTC) 6 hours prior to that there was: To: debian-security-annou...@lists.debian.org From: Florian Weimer f...@deneb.enyo.de Received: from bendel.debian.org ([127.0.0.1]) by localhost (lists.debian.org [127.0.0.1]) (amavisd-new, port 2525) with ESMTP id PC1cdgYAoqvP for lists-debian-security-annou...@bendel.debian.org; Wed, 24 Sep 2014 14:06:15 + (UTC) Does anyone know if there's an fix for Debian's bash, and how to install it? As shown above - at least two people knew. Reading debian-user isn't obligatory, even if you subscribe to it. You should consider subscribing to debian-security-announce. Installing a security upgrade? We have this little program called apt-get and a security archive. I'd advise you to become familiar with the ins and outs of Debian. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140924224427.gt4...@copernicus.demon.co.uk