Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 09/25/2014 at 11:16 AM, The Wanderer wrote: On 09/24/2014 at 04:52 PM, Steve Litt wrote: Hi everyone, Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) https://access.redhat.com/articles/1200223 Does anyone know if there's an fix for Debian's bash, and how to install it? As already noted, there's been a debian-security-announce alert about this, for a fix in wheezy. For testing, I don't know how comprehensive it is, but I ran a variant of that same test on my system (with bash 4.3.9) and got a successful pass - no vulnerability indicated. For the record: this was a false negative. I somehow failed to notice that the variant in question invoked /bin/sh instead of bash... A quick test also indicates that, as mostly expected, dash (the Debian Almquist shell, which provides /bin/sh by default in current Debian) is apparently not affected. ...which, because of this, of course did not indicate vulnerability. The same test with bash instead of /bin/sh shows 4.3-9 as vulnerable, as expected. - -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJUJVg0AAoJEASpNY00KDJrrmEP/inEcELZMzELPmv9qARZC3Al 25SNW2TrCGvlCs0ixrFkCB33qz6Tgx2LBwjVtt+cyY5fAOG0mPM5EVf7MmBxQjT7 URhEiGpB1j/tcX94rMii8rN8vuzKq7rO67MwuprKMuOtgTCiknMC8nuOGxF+FexB HMMdY0skF2oqLeQn4ynwsBLnTlf5lCsjtSQCAiZy3HRue4t5KtJIpFJBnwSXmXIs Pxnr3ZTWuaYIYnGa2DTRMgaKVmxIpkoosaYHg5nCyhKL743d7yGvsiTZzOF2VzEI y+sSRJIMI7FihRAzS5qpqvVSYJxLHWPhyas5miJ7PgU+YS+EveF+cuSsMubm05Mh jQbVEO57K1eoEFTib7o0byVtuYKlKddhp3IORRAS+OXNaImHwxr3CK1SNNwFCjRP 1InfzAoTAiBjZHh9im4Hhc3U8FOeEU9e2x06zc/UCpIAHtuLxquz2hx1bED1qmC+ 4AnMqsc4EZzmEQBgFZFUM9xdPYoc0IYG0T8xdUCBHLaC9DTgAKna86GQjKrxH32W Z+UqSNK0MzTKyFLj8Ktsf8SubJ4+hj6619EgASaKRLZReJxsgERWs3Ep6tBNdX/l Ose6CyX6CCnx1NMonB/RUQk7o+c8nRayCc0FzFqgUkruBJTyIpDPrpLd2Lqbaggi Zq8B4qUwM0g65y15OX0h =0aJi -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54255834.5040...@fastmail.fm
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
According to https://secure.dshield.org/forums/diary/Attention+NIX+admins+time+to+patch/18703: Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. https://access.redhat.com/articles/1200223 According to the article at redhat, only bash is vulnerable, so (if you do not have homegrown bashisms in shells with #!/bin/sh as first line) you should check that ls -l /bin/sh gives /bin/sh - dash, and do dpkg-reconfigure dash if it does not. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5423c1c4.1090...@alstadheim.priv.no
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271
On Wed, Sep 24, 2014 at 04:25:58PM -0500, John Hasler wrote: Mailing list: debian-security-annou...@lists.debian.org You should be subscribed. I'd just like to re-iterate this. *EVERY* debian user should subscribe to that list. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140925091029.GA19619@debian
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Hello This weakness than is sufficient to protect them do as follows. apt-get update and apt-get install --only-package bash On Thu, Sep 25, 2014 at 10:18 AM, Håkon Alstadheim ha...@alstadheim.priv.no wrote: According to https://secure.dshield.org/forums/diary/Attention+NIX+admins+time+to+patch/18703: Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. https://access.redhat.com/articles/1200223 According to the article at redhat, only bash is vulnerable, so (if you do not have homegrown bashisms in shells with #!/bin/sh as first line) you should check that ls -l /bin/sh gives /bin/sh - dash, and do dpkg-reconfigure dash if it does not. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5423c1c4.1090...@alstadheim.priv.no -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cahg8tecx7n-f5n8gznsd6b7rprbbkvxwzpjjukshbmqo3pc...@mail.gmail.com
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 09/24/2014 at 04:52 PM, Steve Litt wrote:
Hi everyone,
Bash Code Injection Vulnerability via Specially Crafted
Environment Variables (CVE-2014-6271)
https://access.redhat.com/articles/1200223
My current Debian setup is vulnerable, as shown below:
== slitt@mydesq2:~$ env
x='() { :;}; \ echo vulnerable' bash -c echo this is a test
vulnerable this is a test
slitt@mydesq2:~$ bash --version GNU bash, version 4.2.37(1)-release
(x86_64-pc-linux-gnu)
==
Does anyone know if there's an fix for Debian's bash, and how to
install it?
As already noted, there's been a debian-security-announce alert about
this, for a fix in wheezy.
For testing, I don't know how comprehensive it is, but I ran a variant
of that same test on my system (with bash 4.3.9) and got a successful
pass - no vulnerability indicated.
Online reports have indicated that bash 4.3.x is affected, and I haven't
updated bash since before these reports hit, so I don't know what the
true shape of the picture is. The data point seemed potentially worth
mentioning, however.
A quick test also indicates that, as mostly expected, dash (the Debian
Almquist shell, which provides /bin/sh by default in current Debian) is
apparently not affected.
- --
The Wanderer
The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQIcBAEBCgAGBQJUJDHXAAoJEASpNY00KDJrUe4P/R1Ig/NIu8bCLK1VShZw1EFO
/uEOdF493V59keDZ3pFtnkXYsKhDQN8wEAqiVOEn19b90Q/qBGztiXXhPONSceeT
2+mYoyx7GuMkVHnTFFU8l5IPJK3sHPyQI03QTx93m6QRA0+t5ebY5e2BSIXTwM0g
DZl6kZDMoonDbrbl92H6N0BjkJ9AS69W2Gx4hG/+cn7C0tK7JRAjlBvv53yACqTv
hI5ZGtDcJbPGXl7RkXRxxFfry5lF4lbcRZ0pqocYqVuR/caZdrLeEKS66+dnWozh
zcf+dEIXoJA1oVtCg0b2qnO+G8i2q6sFq5CF73P7UOg5qLYDwIzG8eUXMm6pe1fg
oaLyJoDx1SojOmmLwGpCiRayM/bUPDmctigp0RKiF6iwIg5aIMHnVNdKGUvSVxFt
Fa+znubtTAxXXeyQa64pCBwbTIefr2LxRh+EipA9tNF4PTudoKRiDemjFLZB4xoV
sOLF78PZzXPso1ZKAlPFOWAPgFA14NKkIzSPESNmtqWFdUAhMeU1Sr/Z8opWDMTV
0ys8w3lOstfTGlFCQKdwqQ5lTeBvEjlsY2ZfpmmufrXfgIF26XI+hvLZ9IlSZOhr
IjQl365u/GnxxbchxrtjlcsQNjmwpH+8i88Sagd0syd2GehcJF0/XYlT9akfCRwS
TKYP3Nkp/zZhdA54LnXc
=fq05
-END PGP SIGNATURE-
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/542431d8.4050...@fastmail.fm
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
By default I have seemingly assumed sysadmin duties for a host running
Debian 6.0.7 (squeeze). So (not having done a lot of this before) ...
1) the system bash is vulnerable
env x='() { :;}; echo vulnerable' bash -c echo this is a test
vulnerable
this is a test
2) bash is version 4.1.5
host: bash --version
GNU bash, version 4.1.5(1)-release (i486-pc-linux-gnu)
3) There are no upgrades
$ apt-get install bash
Reading package lists... Done
Building dependency tree
Reading state information... Done
bash is already the newest version.
Would you mind recommending how best I should proceed?
Thank you,
Joe Loiacono
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
On Thu 25 Sep 2014 at 13:59:40 -0400, Joe Loiacono wrote: By default I have seemingly assumed sysadmin duties for a host running Debian 6.0.7 (squeeze). So (not having done a lot of this before) ... https://wiki.debian.org/LTS/Using https://wiki.debian.org/LTS https://wiki.debian.org/LTS/FAQ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/25092014190622.2411067a3...@desktop.copernicus.demon.co.uk
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
On Thursday, September 25, 2014 13:59:40 Joe Loiacono wrote:
By default I have seemingly assumed sysadmin duties for a host running
Debian 6.0.7 (squeeze). So (not having done a lot of this before) ...
1) the system bash is vulnerable
env x='() { :;}; echo vulnerable' bash -c echo this is a test
vulnerable
this is a test
2) bash is version 4.1.5
host: bash --version
GNU bash, version 4.1.5(1)-release (i486-pc-linux-gnu)
3) There are no upgrades
$ apt-get install bash
Reading package lists... Done
Building dependency tree
Reading state information... Done
bash is already the newest version.
Would you mind recommending how best I should proceed?
Thank you,
Joe Loiacono
Joe -
I updated my Squeeze box this morning. Try as root:
apt-get update
then ---
apt-get upgrade
Mike
--
Mike McGinn KD2CNU
Be happy that brainfarts don't smell.
No electrons were harmed in sending this message, some were inconvenienced.
** Registered Linux User 377849
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/201409251411.44006.mikemcg...@mcginnweb.net
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Brian a...@cityscape.co.uk wrote on 09/25/2014 02:08:15 PM: From: Brian a...@cityscape.co.uk To: debian-user@lists.debian.org Date: 09/25/2014 02:08 PM Subject: Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) On Thu 25 Sep 2014 at 13:59:40 -0400, Joe Loiacono wrote: By default I have seemingly assumed sysadmin duties for a host running Debian 6.0.7 (squeeze). So (not having done a lot of this before) ... https://wiki.debian.org/LTS/Using https://wiki.debian.org/LTS https://wiki.debian.org/LTS/FAQ Thank you! This worked great. Joe
Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Hi everyone,
Bash Code Injection Vulnerability via Specially Crafted Environment
Variables (CVE-2014-6271)
https://access.redhat.com/articles/1200223
My current Debian setup is vulnerable, as shown below:
==
slitt@mydesq2:~$ env x='() { :;}; \
echo vulnerable' bash -c echo this is a test
vulnerable
this is a test
slitt@mydesq2:~$ uname -a
Linux mydesq2 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64
GNU/Linux slitt@mydesq2:~$ cat /etc/issue
Debian GNU/Linux 7 \n \l
slitt@mydesq2:~$ bash --version
GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
http://gnu.org/licenses/gpl.html
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
slitt@mydesq2:~$
==
Does anyone know if there's an fix for Debian's bash, and how to install
it?
Thanks,
SteveT
Steve Litt* http://www.troubleshooters.com/
Troubleshooting Training * Human Performance
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140924165250.2351e...@mydesq2.domain.cxm
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
On 24/09/14 21:52, Steve Litt wrote:
Hi everyone,
Bash Code Injection Vulnerability via Specially Crafted Environment
Variables (CVE-2014-6271)
https://access.redhat.com/articles/1200223
My current Debian setup is vulnerable, as shown below:
==
slitt@mydesq2:~$ env x='() { :;}; \
echo vulnerable' bash -c echo this is a test
vulnerable
this is a test
slitt@mydesq2:~$ uname -a
Linux mydesq2 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64
GNU/Linux slitt@mydesq2:~$ cat /etc/issue
Debian GNU/Linux 7 \n \l
env x='() { :;}; \
echo vulnerable' bash -c echo this is a test
bash: line 1: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
21:58:57 shihad:$ uname -a
Linux shihad 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64 GNU/Linux
21:59:09 shihad:$ cat /etc/issue
Debian GNU/Linux 7 \n \l
bash --version
GNU bash, version 4.3.24(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
http://gnu.org/licenses/gpl.html
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Did you try apt-get update apt-get upgrade yet? That should fix you
right up
as long as your mirror is up to date
Cheers
Iain
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/54233116.6080...@thargoid.co.uk
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271
- Debian Security Advisory DSA-3032-1 secur...@debian.org http://www.debian.org/security/Florian Weimer September 24, 2014 http://www.debian.org/security/faq - Package: bash CVE ID : CVE-2014-6271 Stephane Chazelas discovered a vulnerability in bash, the GNU Bourne-Again Shell, related to how environment variables are processed. In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell. For the stable distribution (wheezy), this problem has been fixed in version 4.2+dfsg-0.1+deb7u1. We recommend that you upgrade your bash packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org You should be subscribed. -- John Hasler jhas...@newsguy.com Elmwood, WI USA -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87iokcbti1@thumper.dhh.gt.org
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271
On Wed, 24 Sep 2014 16:25:58 -0500
John Hasler jhas...@newsguy.com wrote:
[snip]
Package: bash
CVE ID : CVE-2014-6271
Stephane Chazelas discovered a vulnerability in bash,
[snip]
For the stable distribution (wheezy), this problem has been fixed in
version 4.2+dfsg-0.1+deb7u1.
[snip]
frequently asked questions can be
found at: https://www.debian.org/security/
Festive!
The instructions (specifically apt-get update apt-get upgrade) fixed
my problem, as shown below!
slitt@mydesq2:~$ env x='() { :;}; echo vulnerable' bash -c echo this is a
test
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
slitt@mydesq2:~$
Thank you! I was worried about that.
SteveT
Steve Litt* http://www.troubleshooters.com/
Troubleshooting Training * Human Performance
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140924182513.1eb52...@mydesq2.domain.cxm
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
On Wed 24 Sep 2014 at 16:52:50 -0400, Steve Litt wrote: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) https://access.redhat.com/articles/1200223 [Snip] Nearly 50 minutes before your mail we had: To: debian-user@lists.debian.org From: Iain M Conochie i...@thargoid.co.uk Subject: bad bash bug Received: from bendel.debian.org ([127.0.0.1]) by localhost (lists.debian.org [127.0.0.1]) (amavisd-new, port 2525) with ESMTP id nEctwXCEm6Rb for lists-debian-u...@bendel.debian.org; Wed, 24 Sep 2014 20:07:06 + (UTC) 6 hours prior to that there was: To: debian-security-annou...@lists.debian.org From: Florian Weimer f...@deneb.enyo.de Received: from bendel.debian.org ([127.0.0.1]) by localhost (lists.debian.org [127.0.0.1]) (amavisd-new, port 2525) with ESMTP id PC1cdgYAoqvP for lists-debian-security-annou...@bendel.debian.org; Wed, 24 Sep 2014 14:06:15 + (UTC) Does anyone know if there's an fix for Debian's bash, and how to install it? As shown above - at least two people knew. Reading debian-user isn't obligatory, even if you subscribe to it. You should consider subscribing to debian-security-announce. Installing a security upgrade? We have this little program called apt-get and a security archive. I'd advise you to become familiar with the ins and outs of Debian. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140924224427.gt4...@copernicus.demon.co.uk
