Re: bash velnerability
On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote:
On 9/29/2014 11:01 AM, Mike Tancsa wrote:
On 9/26/2014 5:01 PM, Bryan Drewery wrote:
On 9/26/2014 12:41 PM, Bryan Drewery wrote:
On 9/26/2014 11:51 AM, Bryan Drewery wrote:
On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
Apparently, the full fix is still not delivered, accordingly to this:
http://seclists.org/oss-sec/2014/q3/741
Kind regards,
Bartek Rutkowski
I'm pretty sure they call that a feature. This is a bit different.
I've disabled environment function importing in the port. Using
--import-functions will allow it to work if you need it.
Hi Bryan,
With the latest ports, bashcheck still sees some issues with bash.
Are these false positives on FreeBSD ?
Using
https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash
-c true $(printf 'EOF %.0s' {1..79}) 2 /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
---Mike
Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187.
Applying the first patch for parse.y from the following post passed the
tests for me.
http://www.openwall.com/lists/oss-security/2014/09/25/32
In fact, all major Linux distros seem to use it now.
FYI,
Jung-uk Kim
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: bash velnerability
echo Testing Exploit 1 (CVE-2014-6271)
CVE6271=$(env x='() { :;}; echo -n V' bash -c : 2/dev/null)
[ ${CVE7187} == V ] echo VULNERABLE || echo NOT VULNERABLE
echo Testing Exploit 2 (CVE-2014-7169)
CVE7169=$(env X='() { (4lpi.com)=\' bash -c echo date 2/dev/null; cat echo
2/dev/null; rm -f echo)
[ ! ${CVE7169} == date ] echo VULNERABLE || echo NOT VULNERABLE
echo Testing Exploit 3 (CVE-2014-6277)
CVE6277=$(env -i X=' () { }; echo -n V' bash -c :)
[ ${CVE6277} == V ] echo VULNERABLE || echo NOT VULNERABLE
echo Testing Exploit 4 (CVE-2014-7186)
CVE7186=$(bash -c 'true EOF EOF EOF EOF EOF EOF EOF EOF EOF
EOF EOF EOF EOF EOF' 2/dev/null ||echo -n V)
[ ${CVE7186} == V ] echo VULNERABLE || echo NOT VULNERABLE
echo Testing Exploit 5 (CVE-2014-7187)
CVE7187=$((for x in {1..200}; do echo for x$x in ; do :; done; for x in
{1..200}; do echo done; done) |bash 2/dev/null ||echo -n V)
[ ${CVE7187} == V ] echo VULNERABLE || echo NOT VULNERABLE”
Good luck ;-)
On Sep 30, 2014, at 13:54, Jung-uk Kim j...@freebsd.org wrote:
On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote:
On 9/29/2014 11:01 AM, Mike Tancsa wrote:
On 9/26/2014 5:01 PM, Bryan Drewery wrote:
On 9/26/2014 12:41 PM, Bryan Drewery wrote:
On 9/26/2014 11:51 AM, Bryan Drewery wrote:
On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
Apparently, the full fix is still not delivered, accordingly to this:
http://seclists.org/oss-sec/2014/q3/741
Kind regards,
Bartek Rutkowski
I'm pretty sure they call that a feature. This is a bit different.
I've disabled environment function importing in the port. Using
--import-functions will allow it to work if you need it.
Hi Bryan,
With the latest ports, bashcheck still sees some issues with bash.
Are these false positives on FreeBSD ?
Using
https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash
-c true $(printf 'EOF %.0s' {1..79}) 2 /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
---Mike
Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187.
Applying the first patch for parse.y from the following post passed the
tests for me.
http://www.openwall.com/lists/oss-security/2014/09/25/32
In fact, all major Linux distros seem to use it now.
FYI,
Jung-uk Kim
___
freebsd-secur...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
--
Jason Hellenthal
Mobile: +1 (616) 953-0176
jhellent...@dataix.net
JJH48-ARIN
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: bash velnerability
On 9/30/2014 1:54 PM, Jung-uk Kim wrote:
On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote:
On 9/29/2014 11:01 AM, Mike Tancsa wrote:
On 9/26/2014 5:01 PM, Bryan Drewery wrote:
On 9/26/2014 12:41 PM, Bryan Drewery wrote:
On 9/26/2014 11:51 AM, Bryan Drewery wrote:
On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
Apparently, the full fix is still not delivered, accordingly to this:
http://seclists.org/oss-sec/2014/q3/741
Kind regards,
Bartek Rutkowski
I'm pretty sure they call that a feature. This is a bit different.
I've disabled environment function importing in the port. Using
--import-functions will allow it to work if you need it.
Hi Bryan,
With the latest ports, bashcheck still sees some issues with bash.
Are these false positives on FreeBSD ?
Using
https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash
-c true $(printf 'EOF %.0s' {1..79}) 2 /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
---Mike
Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187.
Applying the first patch for parse.y from the following post passed the
tests for me.
http://www.openwall.com/lists/oss-security/2014/09/25/32
In fact, all major Linux distros seem to use it now.
FYI,
Jung-uk Kim
I was holding off on this one as it had not proven to be remotely
exploitable from what I saw. I was also wanting to see what upstream did
before throwing more intrusive patches at our port.
I even saw a reddit post last night complaining that OSX had updated
bash only to leave it still vulnerable because of the redir_stack issue.
I will apply the redir_stack patch since it's becoming an FAQ.
--
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
Re: bash velnerability
On 2014-09-30 14:58:07 -0400, Jason Hellenthal wrote:
echo Testing Exploit 1 (CVE-2014-6271)
CVE6271=$(env x='() { :;}; echo -n V' bash -c : 2/dev/null)
[ ${CVE7187} == V ] echo VULNERABLE || echo NOT VULNERABLE
echo Testing Exploit 2 (CVE-2014-7169)
CVE7169=$(env X='() { (4lpi.com)=\' bash -c echo date 2/dev/null; cat
echo 2/dev/null; rm -f echo)
[ ! ${CVE7169} == date ] echo VULNERABLE || echo NOT VULNERABLE
echo Testing Exploit 3 (CVE-2014-6277)
CVE6277=$(env -i X=' () { }; echo -n V' bash -c :)
[ ${CVE6277} == V ] echo VULNERABLE || echo NOT VULNERABLE
echo Testing Exploit 4 (CVE-2014-7186)
CVE7186=$(bash -c 'true EOF EOF EOF EOF EOF EOF EOF EOF
EOF EOF EOF EOF EOF EOF' 2/dev/null ||echo -n V)
[ ${CVE7186} == V ] echo VULNERABLE || echo NOT VULNERABLE
echo Testing Exploit 5 (CVE-2014-7187)
CVE7187=$((for x in {1..200}; do echo for x$x in ; do :; done; for x in
{1..200}; do echo done; done) |bash 2/dev/null ||echo -n V)
[ ${CVE7187} == V ] echo VULNERABLE || echo NOT VULNERABLE”
Good luck ;-)
Yes, it passes all tests (the patch attached).
Jung-uk Kim
--- parse.y.orig2014-09-30 12:58:08.462512373 -0400
+++ parse.y 2014-09-30 12:58:08.629018000 -0400
@@ -265,9 +265,21 @@
/* Variables to manage the task of reading here documents, because we need to
defer the reading until after a complete command has been collected. */
-static REDIRECT *redir_stack[10];
+static REDIRECT **redir_stack;
int need_here_doc;
+/* Pushes REDIR onto redir_stack, resizing it as needed. */
+static void
+push_redir_stack (REDIRECT *redir)
+{
+ /* Guard against oveflow. */
+ if (need_here_doc + 1 INT_MAX / sizeof (*redir_stack))
+abort ();
+ redir_stack = xrealloc (redir_stack,
+ (need_here_doc + 1) * sizeof (*redir_stack));
+ redir_stack[need_here_doc++] = redir;
+}
+
/* Where shell input comes from. History expansion is performed on each
line when the shell is interactive. */
static char *shell_input_line = (char *)NULL;
@@ -520,42 +532,42 @@
source.dest = 0;
redir.filename = $2;
$$ = make_redirection (source, r_reading_until,
redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| NUMBER LESS_LESS WORD
{
source.dest = $1;
redir.filename = $3;
$$ = make_redirection (source, r_reading_until,
redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| REDIR_WORD LESS_LESS WORD
{
source.filename = $1;
redir.filename = $3;
$$ = make_redirection (source, r_reading_until,
redir, REDIR_VARASSIGN);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| LESS_LESS_MINUS WORD
{
source.dest = 0;
redir.filename = $2;
$$ = make_redirection (source,
r_deblank_reading_until, redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| NUMBER LESS_LESS_MINUS WORD
{
source.dest = $1;
redir.filename = $3;
$$ = make_redirection (source,
r_deblank_reading_until, redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| REDIR_WORD LESS_LESS_MINUS WORD
{
source.filename = $1;
redir.filename = $3;
$$ = make_redirection (source,
r_deblank_reading_until, redir, REDIR_VARASSIGN);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| LESS_LESS_LESS WORD
{
@@ -4905,7 +4917,7 @@
case CASE:
case SELECT:
case FOR:
- if (word_top MAX_CASE_NEST)
+ if (word_top + 1 MAX_CASE_NEST)
word_top++;
word_lineno[word_top] = line_number;
break;
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: bash velnerability
On Sep 30, 2014, at 12:46 PM, Bryan Drewery bdrew...@freebsd.org wrote:
[ ... ]
I even saw a reddit post last night complaining that OSX had updated
bash only to leave it still vulnerable because of the redir_stack issue.
It doesn't seem to be?
bash-3.2$ bash --version
GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
bash-3.2$ echo Testing Exploit 4 (CVE-2014-7186)
Testing Exploit 4 (CVE-2014-7186)
bash-3.2$ CVE7186=$(bash -c 'true EOF EOF EOF EOF EOF EOF EOF
EOF EOF EOF EOF EOF EOF EOF' 2/dev/null ||echo -n V)
bash-3.2$ [ ${CVE7186} == V ] echo VULNERABLE || echo NOT VULNERABLE
NOT VULNERABLE
This being said, I'm not confident that there won't be further issues found
with bash
Regards,
--
-Chuck
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: bash velnerability
I would agree with that. Considering the korn shell was found out to be
importing functions from bash this morning that it does not completely know how
to interpret goes to say that there is a much bigger issue at face here than
the mere sys admins can begin to fathom quite yet.
There is still more to come from this. We may not see the end of it for the
next 10 years.
But also to state bash 4.3.27 on 10-RELEASE-p9 reports as not vulnerable to the
five known CVEs right now but that same shell compiled on a 9.1-RELEASE system
is still vulnerable to the last two CVEs … That said this is deep just when you
think you have it conquered.
On Sep 30, 2014, at 16:25, Charles Swiger cswi...@mac.com wrote:
On Sep 30, 2014, at 12:46 PM, Bryan Drewery bdrew...@freebsd.org wrote:
[ ... ]
I even saw a reddit post last night complaining that OSX had updated
bash only to leave it still vulnerable because of the redir_stack issue.
It doesn't seem to be?
bash-3.2$ bash --version
GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
bash-3.2$ echo Testing Exploit 4 (CVE-2014-7186)
Testing Exploit 4 (CVE-2014-7186)
bash-3.2$ CVE7186=$(bash -c 'true EOF EOF EOF EOF EOF EOF EOF
EOF EOF EOF EOF EOF EOF EOF' 2/dev/null ||echo -n V)
bash-3.2$ [ ${CVE7186} == V ] echo VULNERABLE || echo NOT
VULNERABLE
NOT VULNERABLE
This being said, I'm not confident that there won't be further issues found
with bash
Regards,
--
-Chuck
___
freebsd-secur...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
--
Jason Hellenthal
Mobile: +1 (616) 953-0176
jhellent...@dataix.net
JJH48-ARIN
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: bash velnerability
On 9/30/2014 5:25 PM, Charles Swiger wrote:
bash-3.2$ echo Testing Exploit 4 (CVE-2014-7186)
Testing Exploit 4 (CVE-2014-7186)
bash-3.2$ CVE7186=$(bash -c 'true EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF
EOF EOF EOF' 2/dev/null ||echo -n V)
bash-3.2$ [ ${CVE7186} == V ] echo VULNERABLE || echo NOT VULNERABLE
NOT VULNERABLE
This being said, I'm not confident that there won't be further issues found
with bash
What are people using to check these issues ? I was using
https://github.com/hannob/bashcheck
Not sure if that gives false positives ? Even on linux with all patches
applied, it coredumps on 7186.
Yet the BASH maintainer says all holes are patched ? Or does he
consider 2014-7186 not a security issue ?
http://lists.gnu.org/archive/html/bug-bash/2014-09/msg00341.html
# bash ./bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18: 19749 Segmentation fault (core dumped) bash
-c true $(printf 'EOF %.0s' {1..79}) 2 /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
#
--
---
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: bash velnerability
On 2014-09-30 18:00:31 -0400, Mike Tancsa wrote:
On 9/30/2014 5:25 PM, Charles Swiger wrote:
bash-3.2$ echo Testing Exploit 4 (CVE-2014-7186)
Testing Exploit 4 (CVE-2014-7186)
bash-3.2$ CVE7186=$(bash -c 'true EOF EOF EOF EOF EOF EOF
EOF EOF EOF EOF EOF EOF EOF EOF' 2/dev/null ||echo -n
V)
bash-3.2$ [ ${CVE7186} == V ] echo VULNERABLE || echo NOT
VULNERABLE
NOT VULNERABLE
This being said, I'm not confident that there won't be further issues
found with bash
What are people using to check these issues ? I was using
https://github.com/hannob/bashcheck
Not sure if that gives false positives ?
...
Yes, it seems it does.
https://github.com/hannob/bashcheck/commit/5b611b36
Jung-uk Kim
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: bash velnerability
On Sep 30, 2014, at 3:08 PM, Jung-uk Kim j...@freebsd.org wrote:
On 2014-09-30 18:00:31 -0400, Mike Tancsa wrote:
On 9/30/2014 5:25 PM, Charles Swiger wrote:
bash-3.2$ echo Testing Exploit 4 (CVE-2014-7186)
Testing Exploit 4 (CVE-2014-7186)
bash-3.2$ CVE7186=$(bash -c 'true EOF EOF EOF EOF EOF EOF
EOF EOF EOF EOF EOF EOF EOF EOF' 2/dev/null ||echo -n
V)
bash-3.2$ [ ${CVE7186} == V ] echo VULNERABLE || echo NOT
VULNERABLE
NOT VULNERABLE
This being said, I'm not confident that there won't be further issues
found with bash
What are people using to check these issues ? I was using
https://github.com/hannob/bashcheck
Not sure if that gives false positives ?
...
Yes, it seems it does.
https://github.com/hannob/bashcheck/commit/5b611b36
Jung-uk Kim
Checking, and agreed.
bash -c true $(printf 'EOF %.0s' {1..70}) 2/dev/null
...works OK, but this crashes with a SIGSEGV:
bash -c true $(printf 'EOF %.0s' {1..80}) 2/dev/null
Seems to be blowing out a ~84K malloc buffer located just above the __TEXT page
for /bin/bash; it's not blowing out the stack directly and isn't affected by
changing ulimit -s.
Regards,
--
-Chuck
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: bash velnerability
On 9/30/2014 1:54 PM, Jung-uk Kim wrote:
On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote:
On 9/29/2014 11:01 AM, Mike Tancsa wrote:
On 9/26/2014 5:01 PM, Bryan Drewery wrote:
On 9/26/2014 12:41 PM, Bryan Drewery wrote:
On 9/26/2014 11:51 AM, Bryan Drewery wrote:
On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
Apparently, the full fix is still not delivered, accordingly to this:
http://seclists.org/oss-sec/2014/q3/741
Kind regards,
Bartek Rutkowski
I'm pretty sure they call that a feature. This is a bit different.
I've disabled environment function importing in the port. Using
--import-functions will allow it to work if you need it.
Hi Bryan,
With the latest ports, bashcheck still sees some issues with bash.
Are these false positives on FreeBSD ?
Using
https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash
-c true $(printf 'EOF %.0s' {1..79}) 2 /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
---Mike
Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187.
Applying the first patch for parse.y from the following post passed the
tests for me.
http://www.openwall.com/lists/oss-security/2014/09/25/32
In fact, all major Linux distros seem to use it now.
FYI,
Jung-uk Kim
For some reason the redir_stack issue is not showing up at all for me on
head without the patch. It does show up on an 8.4 system of mine without
the patch though.
I have applied it now to the port.
--
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
Re: bash velnerability
On 9/29/2014 11:01 AM, Mike Tancsa wrote:
On 9/26/2014 5:01 PM, Bryan Drewery wrote:
On 9/26/2014 12:41 PM, Bryan Drewery wrote:
On 9/26/2014 11:51 AM, Bryan Drewery wrote:
On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
Apparently, the full fix is still not delivered, accordingly to this:
http://seclists.org/oss-sec/2014/q3/741
Kind regards,
Bartek Rutkowski
I'm pretty sure they call that a feature. This is a bit different.
I've disabled environment function importing in the port. Using
--import-functions will allow it to work if you need it.
Hi Bryan,
With the latest ports, bashcheck still sees some issues with bash.
Are these false positives on FreeBSD ?
Using
https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash
-c true $(printf 'EOF %.0s' {1..79}) 2 /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
---Mike
Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187.
--
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
Re: bash velnerability
On 9/26/2014 5:01 PM, Bryan Drewery wrote:
On 9/26/2014 12:41 PM, Bryan Drewery wrote:
On 9/26/2014 11:51 AM, Bryan Drewery wrote:
On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
Apparently, the full fix is still not delivered, accordingly to this:
http://seclists.org/oss-sec/2014/q3/741
Kind regards,
Bartek Rutkowski
I'm pretty sure they call that a feature. This is a bit different.
I've disabled environment function importing in the port. Using
--import-functions will allow it to work if you need it.
Hi Bryan,
With the latest ports, bashcheck still sees some issues with bash. Are
these false positives on FreeBSD ?
Using
https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash
-c true $(printf 'EOF %.0s' {1..79}) 2 /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
---Mike
--
---
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: bash velnerability
Dear all, In case you urgently need to go the manual route, here is one way to really patch your systems: https://www.circl.lu/pub/tr-27/ Until the patch is in the bash upstream… (which it might be by now) Take care, -- Steve Clement CIRCL - Computer Incident Response Center Luxembourg Awareness raising, incident handling A: 41, Av. de la Gare L-1611 Luxembourg T: (352) 274 00 98 604 F: (352) 274 00 98 698 E: i...@circl.lu W: www.circl.lu On Sep 25, 2014, at 6:57 PM, Bryan Drewery bdrew...@freebsd.org wrote: The port is fixed with all known public exploits. The package is building currently. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: bash velnerability
On 9/26/2014 2:36 AM, Steve Clement wrote: Dear all, In case you urgently need to go the manual route, here is one way to really patch your systems: https://www.circl.lu/pub/tr-27/ Until the patch is in the bash upstream… (which it might be by now) Take care, The port has had the fixes since yesterday. The packages are building. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery bdrew...@freebsd.org wrote: On 9/26/2014 2:36 AM, Steve Clement wrote: Dear all, In case you urgently need to go the manual route, here is one way to really patch your systems: https://www.circl.lu/pub/tr-27/ Until the patch is in the bash upstream… (which it might be by now) Take care, The port has had the fixes since yesterday. The packages are building. -- Regards, Bryan Drewery Apparently, the full fix is still not delivered, accordingly to this: http://seclists.org/oss-sec/2014/q3/741 Kind regards, Bartek Rutkowski ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: bash velnerability
On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery bdrew...@freebsd.org wrote: On 9/26/2014 2:36 AM, Steve Clement wrote: Dear all, In case you urgently need to go the manual route, here is one way to really patch your systems: https://www.circl.lu/pub/tr-27/ Until the patch is in the bash upstream… (which it might be by now) Take care, The port has had the fixes since yesterday. The packages are building. -- Regards, Bryan Drewery Apparently, the full fix is still not delivered, accordingly to this: http://seclists.org/oss-sec/2014/q3/741 Kind regards, Bartek Rutkowski I'm pretty sure they call that a feature. This is a bit different. This is modifying the command used to call a function as the feature intends. The vulnerability was that just parsing the environment would execute the code. TL;DR; You should cleanse your environment and only accept valid input to work around this feature. The bash developer (Chet) said he would not remove it by default, at least a few days ago. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
On 9/26/2014 11:51 AM, Bryan Drewery wrote: On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery bdrew...@freebsd.org wrote: On 9/26/2014 2:36 AM, Steve Clement wrote: Dear all, In case you urgently need to go the manual route, here is one way to really patch your systems: https://www.circl.lu/pub/tr-27/ Until the patch is in the bash upstream… (which it might be by now) Take care, The port has had the fixes since yesterday. The packages are building. -- Regards, Bryan Drewery Apparently, the full fix is still not delivered, accordingly to this: http://seclists.org/oss-sec/2014/q3/741 Kind regards, Bartek Rutkowski I'm pretty sure they call that a feature. This is a bit different. This is modifying the command used to call a function as the feature intends. The vulnerability was that just parsing the environment would execute the code. TL;DR; You should cleanse your environment and only accept valid input to work around this feature. The bash developer (Chet) said he would not remove it by default, at least a few days ago. There is more discussion here http://seclists.org/oss-sec/2014/q3/746 Anyway I still think this is not anything to panic about. However I am making the decision to disable this feature entirely in our bash port by default. I will use christos@NetBSD's patch to add a --import-functions flag to bash. The port will allow selecting the default at build time. Ours will have it disabled. I have no idea what the impact is on this but it is the safest route for now; scripts passing functions in environment is crazy. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
On 9/26/2014 12:41 PM, Bryan Drewery wrote: On 9/26/2014 11:51 AM, Bryan Drewery wrote: On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: Apparently, the full fix is still not delivered, accordingly to this: http://seclists.org/oss-sec/2014/q3/741 Kind regards, Bartek Rutkowski I'm pretty sure they call that a feature. This is a bit different. I've disabled environment function importing in the port. Using --import-functions will allow it to work if you need it. https://svnweb.freebsd.org/changeset/ports/369341 -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
bash velnerability
Hi, https://www.freebsd.org/cgi/ports.cgi?query=The+GNU+Project%27s+Bourne+Again+SHellstype=textsektion=all Is this version patched from the bash vulnerability? https://access.redhat.com/articles/1200223 -- Riyaz T K Admod Technologies ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: bash velnerability
I think not yet[1]. But it will be shortly updated to patched version because the vulnerability is already documented written in security/vuxml [2]. That means port committer(s) already aware of the bash vulnerability. [1] http://svnweb.freebsd.org/ports/head/shells/bash/Makefile?revision=369185view=markup [2] http://svnweb.freebsd.org/ports?view=revisionrevision=369192 On Thu, Sep 25, 2014 at 11:58:30AM +0530, Riyaz T.K wrote: Hi, https://www.freebsd.org/cgi/ports.cgi?query=The+GNU+Project%27s+Bourne+Again+SHellstype=textsektion=all Is this version patched from the bash vulnerability? https://access.redhat.com/articles/1200223 -- Riyaz T K Admod Technologies ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org -- `whois vmeta.jp | nkf -w` meta m...@vmeta.jp ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: bash velnerability
Please let me make corrections. The shellshock bash vulnerabilities are described by 2 CVEs. - CVE-2014-6271 - CVE-2014-7169 The first CVE is already fixed in latest freebsd ports tree (r369185), so far the second CVE is not fixed yet. On Thu, Sep 25, 2014 at 11:58:30AM +0530, Riyaz T.K wrote: Hi, https://www.freebsd.org/cgi/ports.cgi?query=The+GNU+Project%27s+Bourne+Again+SHellstype=textsektion=all Is this version patched from the bash vulnerability? https://access.redhat.com/articles/1200223 -- Riyaz T K Admod Technologies ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org -- `whois vmeta.jp | nkf -w` meta m...@vmeta.jp ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: bash velnerability
On 2014-09-25 02:54:06 -0400, Koichiro Iwao wrote: Please let me make corrections. The shellshock bash vulnerabilities are described by 2 CVEs. - CVE-2014-6271 - CVE-2014-7169 The first CVE is already fixed in latest freebsd ports tree (r369185), so far the second CVE is not fixed yet. CVE-2014-7169 is fixed now (r369261). http://svnweb.freebsd.org/changeset/ports/369261 Note the commit log says CVE-2014-3659 but it was actually reassigned as CVE-2014-7169. Jung-uk Kim On Thu, Sep 25, 2014 at 11:58:30AM +0530, Riyaz T.K wrote: Hi, https://www.freebsd.org/cgi/ports.cgi?query=The+GNU+Project%27s+Bourne+Again+SHellstype=textsektion=all Is this version patched from the bash vulnerability? https://access.redhat.com/articles/1200223 ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: bash velnerability
On 9/25/2014 11:13 AM, Jung-uk Kim wrote: On 2014-09-25 02:54:06 -0400, Koichiro Iwao wrote: Please let me make corrections. The shellshock bash vulnerabilities are described by 2 CVEs. - CVE-2014-6271 - CVE-2014-7169 The first CVE is already fixed in latest freebsd ports tree (r369185), so far the second CVE is not fixed yet. CVE-2014-7169 is fixed now (r369261). http://svnweb.freebsd.org/changeset/ports/369261 Note the commit log says CVE-2014-3659 but it was actually reassigned as CVE-2014-7169. Thanks, vuxml updated. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
On 9/25/2014 11:13 AM, Jung-uk Kim wrote: On 2014-09-25 02:54:06 -0400, Koichiro Iwao wrote: Please let me make corrections. The shellshock bash vulnerabilities are described by 2 CVEs. - CVE-2014-6271 - CVE-2014-7169 The first CVE is already fixed in latest freebsd ports tree (r369185), so far the second CVE is not fixed yet. CVE-2014-7169 is fixed now (r369261). http://svnweb.freebsd.org/changeset/ports/369261 Note the commit log says CVE-2014-3659 but it was actually reassigned as CVE-2014-7169. Jung-uk Kim The port is fixed with all known public exploits. The package is building currently. However bash still allows the crazy exporting of functions and may still have other parser bugs. I would recommend for the immediate future not using bash for forced ssh commands as well as these guidelines: 1. Do not ever link /bin/sh to bash. This is why it is such a big problem on Linux, as system(3) will run bash by default from CGI. 2. Web/CGI users should have shell of /sbin/nologin. 3. Don't write CGI in shell script / Stop using CGI :) 4. httpd/CGId should never run as root, nor apache. Sandbox each application into its own user. 5. Custom restrictive shells, like scponly, should not be written in bash. 6. SSH authorized_keys/sshd_config forced commands should also not be written in bash. Cheers, Bryan Drewery signature.asc Description: OpenPGP digital signature
