Re: [OpenIndiana-discuss] Bash bug issue
On 04/11/2014 03:36, Bob Friesenhahn wrote: While it would be nice if Solaris software was all 64-bit, in actual practice I notice no difference in day to day use between systems with 32-bit applications and 64-bit. Only certain memory-hungry applications will significantly benefit. We spent some time investigating this 10 years back and found that for most apps that don't require the 64bit address space that they ran slower compiled for 64bit. 64bit file access was of some us to us but the we stuck with 64bit compiles and I expect that until CPU cache sizes increase a lot more there will be no gain outside the OS (and DBs etc) for 99% of current apps. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
4 ноября 2014 г. 4:36:39 CET, Bob Friesenhahn bfrie...@simple.dallas.tx.us пишет: On Mon, 3 Nov 2014, Bruce Lilly wrote: As of this late date, /usr/bin/bash here is in fact the bash executable, not a link; but that means that it's 32-bit only and might well present unexpected issues on 64-bit systems when dealing with large files etc. (basically anything that involves pointers, long integers, time_t, ptrdiff_t, clock_t, dev_t, off_t, size_t, or ssize_t in the sources). Such problems are highly unlikely. Solaris supports large files (LFS) in 32-bit applications and Autoconf-configured GNU programs use it by default. Few shell jobs require over 2GB of data, so ptrdiff_t is not likely to be a problem, and size_t and ssize_t are unlikely to cause problems either. Perhaps time_t is still an issue. While it would be nice if Solaris software was all 64-bit, in actual practice I notice no difference in day to day use between systems with 32-bit applications and 64-bit. Only certain memory-hungry applications will significantly benefit. Regardless, the OpenIndiana project did produce an updated bash binary. I initially built my own, but switched to the OpenIndiana version when it became available. Bob Also note that 64-bit programs have a larger footprint in memory (bigger pointers). While people might dismiss it today (saying all our boxes are big anyway) - not all environments are big or get many benefits from such over-use of resources. You have laptops, vm's, local zones... even if the hardware box is a big powerhouse, why physically deny yourself an ability to run 70 mixed workloads instead of 50 64-bit ones (numbers made up arbitrarily)? Another rationale I saw in a Sun blog back when Solaris 10 was new and young (relaying from memory, corruption might collect over the years), was that much of the application worker code sufficed to be 32-bit so why not remain such (benefits above). Most of the access to larger items can be done with the 64-bit OS facilities (via syscalls? ipc? weird omnivore linking? I don't remember exactly now...) So most of the programs (thousands of binaries supplied with a sol10 distro and extension discs) remained 32-bit only. A minority of the lrograms that were deemed to really need this (under 700? or even 100?) were dual-built and provided with the isaexec hack to pick the right binary at run-time depending on the running kernel (32/64). So... just in case, here were some old news from the attic ;) You know where the grain and salt are ;) //Jim -- Typos courtesy of K-9 Mail on my Samsung Android ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On Tue, 4 Nov 2014, david allan finch wrote: On 04/11/2014 03:36, Bob Friesenhahn wrote: While it would be nice if Solaris software was all 64-bit, in actual practice I notice no difference in day to day use between systems with 32-bit applications and 64-bit. Only certain memory-hungry applications will significantly benefit. We spent some time investigating this 10 years back and found that for most apps that don't require the 64bit address space that they ran slower compiled for 64bit. 64bit file access was of some us to us but the we stuck with 64bit compiles and I expect that until CPU cache sizes increase a lot more there will be no gain outside the OS (and DBs etc) for 99% of current apps. The AMD64 ABI provides quite a lot more CPU registers than 32-bits. The function calling convention has changed to make better use of registers for passing values. This places less stress on the CPU L1 cache and allows the CPU to juggle more variables at once without doing loads/stores. In performance benchmarks, I do usually see a performance gain due to compiling as 64-bits on x86 hardware. Results are highly compiler dependent. Regardless, most OS 'utilities' are not CPU bound and so the difference may not be measurable for normal use. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On Tue, Nov 4, 2014 at 2:58 AM, Jim Klimov jimkli...@cos.ru wrote: On Mon, 3 Nov 2014, Bruce Lilly wrote: As of this late date, /usr/bin/bash here is in fact the bash executable, not a link; but that means that it's 32-bit only and might well [...] So most of the programs (thousands of binaries supplied with a sol10 distro and extension discs) remained 32-bit only. A minority of the lrograms that were deemed to really need this (under 700? or even 100?) were dual-built and provided with the isaexec hack to pick the right binary at run-time depending on the running kernel (32/64). One more note applicable to bash before I start a separate thread regarding 32-bit vs. 64 bit issues that aren't bash-specific: # ls /bin/amd64/*sh /*/bin/amd64/*sh /*/*/bin/amd64/*sh | egrep -v lish|ush|mash|rash|\.sh|ssh /bin/amd64/bash /bin/amd64/ksh /bin/amd64/rbash /bin/amd64/rksh /bin/amd64/tclsh /bin/amd64/tcsh /bin/amd64/wish /bin/amd64/zoomsh /usr/bin/amd64/bash /usr/bin/amd64/ksh /usr/bin/amd64/rbash /usr/bin/amd64/rksh /usr/bin/amd64/tclsh /usr/bin/amd64/tcsh /usr/bin/amd64/wish /usr/bin/amd64/zoomsh /usr/openwin/bin/amd64/bash /usr/openwin/bin/amd64/ksh /usr/openwin/bin/amd64/rbash /usr/openwin/bin/amd64/rksh /usr/openwin/bin/amd64/tclsh /usr/openwin/bin/amd64/tcsh /usr/openwin/bin/amd64/wish /usr/openwin/bin/amd64/zoomsh /usr/X/bin/amd64/bash /usr/X/bin/amd64/ksh /usr/X/bin/amd64/rbash /usr/X/bin/amd64/rksh /usr/X/bin/amd64/tclsh /usr/X/bin/amd64/tcsh /usr/X/bin/amd64/wish /usr/X/bin/amd64/zoomsh /usr/X11/bin/amd64/bash /usr/X11/bin/amd64/ksh /usr/X11/bin/amd64/rbash /usr/X11/bin/amd64/rksh /usr/X11/bin/amd64/tclsh /usr/X11/bin/amd64/tcsh /usr/X11/bin/amd64/wish /usr/X11/bin/amd64/zoomsh /usr/X11R6/bin/amd64/bash /usr/X11R6/bin/amd64/ksh /usr/X11R6/bin/amd64/rbash /usr/X11R6/bin/amd64/rksh /usr/X11R6/bin/amd64/tclsh /usr/X11R6/bin/amd64/tcsh /usr/X11R6/bin/amd64/wish /usr/X11R6/bin/amd64/zoomsh Evidently there are quite a few shells -- N.B. including bash -- where the packagers seem to have decided there were issues warranting building and packaging 64-bit versions. I'll let somebody else figure out exactly why the recent updated version of /usr/bin/bash trampled on the isaexec pointing to separate 32- and 64-bit versions; I don't really care much about bash per se as I don't use it (for reasons having to do with familiarity, usability, portability, and reliability; before shellshock added security to that list). ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On Sat, Oct 4, 2014 at 11:05 AM, cpforum cpfo...@orange.fr wrote: cd /usr/bin mv bash bash-oi_151a9 ln -s /usr/local/bin/bash bash While that would be reasonable under many operating systems, it *may* present problems on Solaris-derived systems, especially 64-bit systems. See http://docs.oracle.com/cd/E18752_01/html/816-5138/index.html (a bit dated w.r.t. compiler flags, but the principles are still valid, as is most of the content). Note in particular that /usr/bin/bash *might* very well be a hard link to /usr/lib/isaexec and that the real executables *might* live under /usr/bin/i86pc and /usr/bin/amd64 (on i86 hardware of course). It would be prudent to check first before moving and/or linking files in /bin, /usr/bin, /usr/sbin, /usr/lib, ... Actual conditions depend on whether or not the packager paid any attention to 32-bit vs. 64-bit issues, and isn't bash-specific. As of this late date, /usr/bin/bash here is in fact the bash executable, not a link; but that means that it's 32-bit only and might well present unexpected issues on 64-bit systems when dealing with large files etc. (basically anything that involves pointers, long integers, time_t, ptrdiff_t, clock_t, dev_t, off_t, size_t, or ssize_t in the sources). If you are building from source on a 64-bit system, I strongly recommend reading that document. Note that for ksh, the situation described in the 64-bit Solaris Developer's Guide applies: #: isainfo -v 64-bit amd64 applications cx16 sse3 sse2 sse fxsr mmx cmov amd_sysc cx8 tsc fpu 32-bit i386 applications ahf cx16 sse3 sse2 sse fxsr mmx cmov sep cx8 tsc fpu #: ls -l /bin/ksh* /usr/bin/ksh* /bin/*/ksh* /usr/bin/*/ksh* /usr/lib/isaexec -r-xr-xr-x 4 root bin 9712 2013-07-21 10:35 /bin/amd64/ksh -r-xr-xr-x 4 root bin 9712 2013-07-21 10:35 /bin/amd64/ksh93 -r-xr-xr-x 4 root bin 8064 2013-07-21 10:35 /bin/i86/ksh -r-xr-xr-x 4 root bin 8064 2013-07-21 10:35 /bin/i86/ksh93 -r-xr-xr-x 87 root bin 8064 2013-07-21 10:35 /bin/ksh -r-xr-xr-x 87 root bin 8064 2013-07-21 10:35 /bin/ksh93 -r-xr-xr-x 4 root bin 9712 2013-07-21 10:35 /usr/bin/amd64/ksh -r-xr-xr-x 4 root bin 9712 2013-07-21 10:35 /usr/bin/amd64/ksh93 -r-xr-xr-x 4 root bin 8064 2013-07-21 10:35 /usr/bin/i86/ksh -r-xr-xr-x 4 root bin 8064 2013-07-21 10:35 /usr/bin/i86/ksh93 -r-xr-xr-x 87 root bin 8064 2013-07-21 10:35 /usr/bin/ksh -r-xr-xr-x 87 root bin 8064 2013-07-21 10:35 /usr/bin/ksh93 -r-xr-xr-x 87 root bin 8064 2013-07-21 10:35 /usr/lib/isaexec This topic appears not to be addressed adequately on the OpenIndiana wiki (certainly no mention under Compiling+software+on+OpenIndiana) or the illumos site (certainly no mention under Building+illumos+and+OpenIndiana there). It seems to be something one either knows about or not (I stumbled upon it while researching why uname -m and uname -p returns the same values on 32-bit and 64-bit installations (and is therefore useless in determining whether the installation is 32- or 64-bit), and why all of the executables in /bin (etc) are 32-bit applications on my 64-bit systems, and why all executables built on my 64-bit systems are 32-bit executables when built using default compilation flags -- all of those being unexpected). ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On Mon, 3 Nov 2014, Bruce Lilly wrote: As of this late date, /usr/bin/bash here is in fact the bash executable, not a link; but that means that it's 32-bit only and might well present unexpected issues on 64-bit systems when dealing with large files etc. (basically anything that involves pointers, long integers, time_t, ptrdiff_t, clock_t, dev_t, off_t, size_t, or ssize_t in the sources). Such problems are highly unlikely. Solaris supports large files (LFS) in 32-bit applications and Autoconf-configured GNU programs use it by default. Few shell jobs require over 2GB of data, so ptrdiff_t is not likely to be a problem, and size_t and ssize_t are unlikely to cause problems either. Perhaps time_t is still an issue. While it would be nice if Solaris software was all 64-bit, in actual practice I notice no difference in day to day use between systems with 32-bit applications and 64-bit. Only certain memory-hungry applications will significantly benefit. Regardless, the OpenIndiana project did produce an updated bash binary. I initially built my own, but switched to the OpenIndiana version when it became available. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 11/ 3/14 07:36 PM, Bob Friesenhahn wrote: Perhaps time_t is still an issue. It is. 32-bit binaries will not be able to handle time_t values past January 2038, whether in API's to get the current time or to access timestamps on files. https://blogs.oracle.com/alanc/entry/lp64_bit_by_bit#lp64-abi-changes lists some other differences between the 32-bit 64-bit ABI's on Solaris/illumos OS'es (though illumos won't see the ASLR or ADI benefits, since those are post-closing additions to Solaris). -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - http://blogs.oracle.com/alanc ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
Thanks, Jon! This makes me really happy with OI. Actually this small advancement in OI /dev a9 makes me happier than all great advancements in /hipster. Regards, Dmitry. Jon Tibble has just pushed updated bash package with recent security fixes to OI /dev a9. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
Thanks from me too! Thanks to all who keep OI alive! -Oorspronkelijk bericht- Van: Dmitry Kozhinov [mailto:d...@desktopfay.com] Verzonden: dinsdag 14 oktober 2014 17:52 Aan: openindiana-discuss@openindiana.org Onderwerp: Re: [OpenIndiana-discuss] Bash bug issue Thanks, Jon! This makes me really happy with OI. Actually this small advancement in OI /dev a9 makes me happier than all great advancements in /hipster. Regards, Dmitry. Jon Tibble has just pushed updated bash package with recent security fixes to OI /dev a9. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 10/13/2014 17:19, Alexander Pyhalov wrote: Hello. Jon Tibble has just pushed updated bash package with recent security fixes to OI /dev a9. Just update your bash to shell/bash@4.0.28,5.11-0.151.1.9:20140117T202904Z . Sorry, you want more fresh version - shell/bash@4.0.28,5.11-0.151.1.9:20141013T104806Z -- Best regards, Alexander Pyhalov, system administrator of Southern Federal University IT department ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
Thanks for this! On Mon, Oct 13, 2014 at 1:19 PM, Alexander Pyhalov a...@rsu.ru wrote: Hello. Jon Tibble has just pushed updated bash package with recent security fixes to OI /dev a9. Just update your bash to shell/bash@4.0.28,5.11-0.151.1.9:20140117T202904Z . -- Best regards, Alexander Pyhalov, system administrator of Southern Federal University IT department ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 14/10/2014 12:19 AM, Alexander Pyhalov wrote: Hello. Jon Tibble has just pushed updated bash package with recent security fixes to OI /dev a9. Just update your bash to shell/bash@4.0.28,5.11-0.151.1.9:20140117T202904Z . Any chance that the same could be done for a8? I can't get to a9 - it always fails to upgrade for me. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 09/10/2014 14:18, Cal Sawyer wrote: Thanks very much for the reply and the succinct description of what's happened to OI development, Udo Good luck to everyone who's using OI in actual production! Me and my 65TB need to leave the building :) We have 400 TB and are still in... -- Dr.Udo Grabowski Inst.f.Meteorology Climate Research IMK-ASF-SAT http://www.imk-asf.kit.edu/english/sat.php KIT - Karlsruhe Institute of Technology http://www.kit.edu Postfach 3640,76021 Karlsruhe,Germany T:(+49)721 608-26026 F:-926026 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 10/ 5/14 10:40 PM, Bob Friesenhahn wrote: On Mon, 6 Oct 2014, Ian Collins wrote: Bob Friesenhahn wrote: It is always good to execute 'gmake check' before installing sofware that comes with a test suite. Some bash tests seem to fail. If you check the comments printed by the tests, it looks like the failures seen on Solaris based OS are expected. Under OpenIndiana I saw some differences in output which may be due to small issues with internationalized character sets (locales). OpenIndiana uses different internationalization code than Solaris since it was written from scratch by the Illumos project. Yeah as I understand it was closed source/proprietary part in Opensolaris. The bash I built (4.3.29) seems to be working fine for my purposes but I don't use bash as an interactive shell. You can post a bug on OI for that internationalization issue, it is always useful to have something like that described in detail in bug report. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
2014-10-03 11:55 GMT+02:00 Andreas Wacknitz a.wackn...@gmx.de: What most people don’t understand is that OpenIndiana is YOURS. OpenIndiana is just a name with no company behind. If you want something and nobody else is doing it then do it by yourself. So instead of taking notes you should start acting. I know. But it looks like openindiana at the moment hasn't got the community momentum necessary to keep up with security issues. No blame to anyone, but one has to keep it into account if using in a production environment. -- Frank Van Damme Make everything as simple as possible, but not simpler. - Albert Einstein ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
2014-10-06 9:31 GMT+02:00 Frank Van Damme frank.vanda...@gmail.com: 2014-10-03 11:55 GMT+02:00 Andreas Wacknitz a.wackn...@gmx.de: What most people don’t understand is that OpenIndiana is YOURS. OpenIndiana is just a name with no company behind. If you want something and nobody else is doing it then do it by yourself. So instead of taking notes you should start acting. I know. But it looks like openindiana at the moment hasn't got the community momentum necessary to keep up with security issues. No blame to anyone, but one has to keep it into account if using in a production environment. FYI, OpenCSW seems to have a more current Bash version on board: http://www.opencsw.org/package/bash/ -- Frank Van Damme Make everything as simple as possible, but not simpler. - Albert Einstein ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
Per openindiana.org: OpenIndiana is a robust enterprise operating system If the only solutions being offered after nearly 2 weeks are a) use ksh because bash is somehow inferior (shades of csh-is-deterimental) or 2. rebuild bash youself from source, i'd have to say that imho it's the polar opposite and this appears to be confirmed in Andreas's post. OmniOS had, as did virtually world+dog, a patch out the day after the bug was announced - which is consistent with a/proper/ distribution, and it's where i'm going now - cal sawyer (on oi_151a8) 2014-10-03 11:55 GMT+02:00 Andreas Wacknitza.wackn...@gmx.de: What most people don?t understand is that OpenIndiana is YOURS. OpenIndiana is just a name with no company behind. If you want something and nobody else is doing it then do it by yourself. So instead of taking notes you should start acting. I know. But it looks like openindiana at the moment hasn't got the community momentum necessary to keep up with security issues. No blame to anyone, but one has to keep it into account if using in a production environment. -- Frank Van Damme Make everything as simple as possible, but not simpler. - Albert Einstein ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 06/10/2014 14:54, Cal Sawyer wrote: ... If the only solutions being offered after nearly 2 weeks are a) use ksh because bash is somehow inferior (shades of csh-is-deterimental) or 2. rebuild bash youself from source, i'd have to say that imho it's the polar opposite and this appears to be confirmed in Andreas's post. The simple fact is: The /dev maintainer(s?) seem to have silently resigned without handing over the keys So no one is left who actually can apply and distribute the patch (which shouldn't be that difficult, as it's only one package); the /hipster community up to now has served only itself for the purpose of porting the complete OI userland to gcc, and now, as the pressure is rising, is trying to reorganise to take over /dev to actually make stable and useable production releases. This will take time, but I'm completely with you that a patch for /dev/ should be made available as fast as possible, so the very first task is to actually get access to the /dev/ infrastructure to get at least something started. -- Dr.Udo Grabowski Inst.f.Meteorology Climate Research IMK-ASF-SAT http://www.imk-asf.kit.edu/english/sat.php KIT - Karlsruhe Institute of Technology http://www.kit.edu Postfach 3640,76021 Karlsruhe,Germany T:(+49)721 608-26026 F:-926026 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On Thu, Oct 2, 2014 at 8:12 AM, Alan Coopersmith alan.coopersm...@oracle.com wrote: On 10/ 2/14 07:00 AM, Brandon Hume wrote: On many (most? all?) Linuxes, /bin/sh *is* /bin/bash. Many, but not all - the Debian family and some others use a lighter weight, POSIX compatible shell instead, dash, the Debian Almquist Shell; and many embedded distros use BusyBox instead. https://en.wikipedia.org/wiki/Almquist_shell http://lwn.net/Articles/343924/ A big driver of this was faster boot, since boot scripts run on /bin/sh. On some systems the startup time for all those bash processes was a considerable portion of the total boot time. Note: It's not enough to make sure no CGI scripts are being run with /bin/bash. You also need to make sure no bash processes are being launched by other scripts, since many scripting languages launch a shell to run external commands. Unless the environment is explicitly cleared these are likely to inherit the environment of the calling process, with all the nasties in it. -- D. Brodbeck System Administrator, Linguistics University of Washington GPG key fingerprint: 0DB7 4B50 8910 DBC5 B510 79C4 3970 2BC3 2078 D875 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
There are a lot of tools depending on bash. Including virusscanners and spamfilters. The openCSW bash installs into another directory then the real/old bash. How can you change the old bash with the openCSW bash? I saw that solaris 11.2 supports a lot of (old) sparc hardware. And most of the ever produced X86 servers. Supportcontracts are reasonable priced i think. Aspecialy in this situation... On 6 oktober 2014 19:28:00 David Brodbeck bro...@uw.edu wrote: On Thu, Oct 2, 2014 at 8:12 AM, Alan Coopersmith alan.coopersm...@oracle.com wrote: On 10/ 2/14 07:00 AM, Brandon Hume wrote: On many (most? all?) Linuxes, /bin/sh *is* /bin/bash. Many, but not all - the Debian family and some others use a lighter weight, POSIX compatible shell instead, dash, the Debian Almquist Shell; and many embedded distros use BusyBox instead. https://en.wikipedia.org/wiki/Almquist_shell http://lwn.net/Articles/343924/ A big driver of this was faster boot, since boot scripts run on /bin/sh. On some systems the startup time for all those bash processes was a considerable portion of the total boot time. Note: It's not enough to make sure no CGI scripts are being run with /bin/bash. You also need to make sure no bash processes are being launched by other scripts, since many scripting languages launch a shell to run external commands. Unless the environment is explicitly cleared these are likely to inherit the environment of the calling process, with all the nasties in it. -- D. Brodbeck System Administrator, Linguistics University of Washington GPG key fingerprint: 0DB7 4B50 8910 DBC5 B510 79C4 3970 2BC3 2078 D875 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
Search q-nap shellshock and you see how deep this goes... On 6 oktober 2014 19:28:00 David Brodbeck bro...@uw.edu wrote: On Thu, Oct 2, 2014 at 8:12 AM, Alan Coopersmith alan.coopersm...@oracle.com wrote: On 10/ 2/14 07:00 AM, Brandon Hume wrote: On many (most? all?) Linuxes, /bin/sh *is* /bin/bash. Many, but not all - the Debian family and some others use a lighter weight, POSIX compatible shell instead, dash, the Debian Almquist Shell; and many embedded distros use BusyBox instead. https://en.wikipedia.org/wiki/Almquist_shell http://lwn.net/Articles/343924/ A big driver of this was faster boot, since boot scripts run on /bin/sh. On some systems the startup time for all those bash processes was a considerable portion of the total boot time. Note: It's not enough to make sure no CGI scripts are being run with /bin/bash. You also need to make sure no bash processes are being launched by other scripts, since many scripting languages launch a shell to run external commands. Unless the environment is explicitly cleared these are likely to inherit the environment of the calling process, with all the nasties in it. -- D. Brodbeck System Administrator, Linguistics University of Washington GPG key fingerprint: 0DB7 4B50 8910 DBC5 B510 79C4 3970 2BC3 2078 D875 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
These aren't new aspects of the bug. The fact is that default operation of systems using bash as the shell for interpolation with system or for scripts interpreted by bash allows remote code execution by taking strings from untrusted sources (e.g. USER_AGENT in web servers) and passing them through the environment, which allows remote code execution. What you're reporting here is instances of the resulting problem in products matching this description, not fundamental changes to the understanding of the bug. What's been difficult is that Red Hat's security response team and bash upstream initially differed on the scope of the issue and thus patching, as Red Hat believed there were broader problems and that upstream patches were therefore too limited in scope. Red Hat was subsequently shown to be correct. The confusion is that there are a number of CVEs out there, and the patches went out in batches. There are quite a variety of tests proposed for the fully documented CVEs, and some of the CVEs remain embargoed, with Red Hat simply advising that people take patches which bash upstream subsequently accepted. On 6 October 2014 18:58, The Outsider openindi...@out-side.nl wrote: Search q-nap shellshock and you see how deep this goes... On 6 oktober 2014 19:28:00 David Brodbeck bro...@uw.edu wrote: On Thu, Oct 2, 2014 at 8:12 AM, Alan Coopersmith alan.coopersm...@oracle.com wrote: On 10/ 2/14 07:00 AM, Brandon Hume wrote: On many (most? all?) Linuxes, /bin/sh *is* /bin/bash. Many, but not all - the Debian family and some others use a lighter weight, POSIX compatible shell instead, dash, the Debian Almquist Shell; and many embedded distros use BusyBox instead. https://en.wikipedia.org/wiki/Almquist_shell http://lwn.net/Articles/343924/ A big driver of this was faster boot, since boot scripts run on /bin/sh. On some systems the startup time for all those bash processes was a considerable portion of the total boot time. Note: It's not enough to make sure no CGI scripts are being run with /bin/bash. You also need to make sure no bash processes are being launched by other scripts, since many scripting languages launch a shell to run external commands. Unless the environment is explicitly cleared these are likely to inherit the environment of the calling process, with all the nasties in it. -- D. Brodbeck System Administrator, Linguistics University of Washington GPG key fingerprint: 0DB7 4B50 8910 DBC5 B510 79C4 3970 2BC3 2078 D875 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
The gift keeps on giving. There is yet another related security patch for bash. Here is the one for bash 4.3: http://lists.gnu.org/archive/html/bug-bash/2014-10/msg00040.html Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
Which CVE is that, or is it something else? On Oct 6, 2014, at 9:35 PM, Bob Friesenhahn bfrie...@simple.dallas.tx.us wrote: The gift keeps on giving. There is yet another related security patch for bash. Here is the one for bash 4.3: http://lists.gnu.org/archive/html/bug-bash/2014-10/msg00040.html Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
The -07 version of the solaris 10 Oracle patch is from last monday. Seems to me it fixes all. But had little time to test it. On 2 oktober 2014 17:24:00 Alan Coopersmith alan.coopersm...@oracle.com wrote: On 10/ 2/14 07:20 AM, Bob Friesenhahn wrote: On Thu, 2 Oct 2014, Brandon Hume wrote: On 26/09/2014 8:47 PM, Gary Gendel wrote: The current maintainer says it's been in bash for ~20 years, why it's not in Solaris 10 is a mystery. It is in Solaris 10. (And 11.) The test being used is flawed: env X=() { :;} ; echo busted /bin/sh -c echo completed The good news is that if you have a support contract, there is a Solaris 10 bash patch which seems to solve all the reported attack vectors (in my own testing). It took Oracle two patches to get things right. People found more bugs after the first patch went out. There are 6 CVE's for bash announced in the last week after all. -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - http://blogs.oracle.com/alanc ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
Bob Friesenhahn wrote: It is always good to execute 'gmake check' before installing sofware that comes with a test suite. Some bash tests seem to fail. If you check the comments printed by the tests, it looks like the failures seen on Solaris based OS are expected. I've been using 4.1.15 build on Solaris 10 for most systems. -- Ian. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On Mon, 6 Oct 2014, Ian Collins wrote: Bob Friesenhahn wrote: It is always good to execute 'gmake check' before installing sofware that comes with a test suite. Some bash tests seem to fail. If you check the comments printed by the tests, it looks like the failures seen on Solaris based OS are expected. Under OpenIndiana I saw some differences in output which may be due to small issues with internationalized character sets (locales). OpenIndiana uses different internationalization code than Solaris since it was written from scratch by the Illumos project. The bash I built (4.3.29) seems to be working fine for my purposes but I don't use bash as an interactive shell. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
First : building openindiana a10 with updated commands (including a secure bash) urge :-) Second : because ksh is ten time powerfull and reliable than bash leave bash and adopt ksh. If you want history put ' set -o emacs' inside your .profile For exemple ksh can be compiled (shcomp), has object oriented programming features and many other features bash has'nt. Third : while waiting for openindiana a10 compile bash. It takes 15 minutes. Get bash and patch from ftp.gnu.org/gnu/bash $ ls bash-4.3 bash43-007.sig bash43-015.sig bash43-023.sig bash-4.3.tar.gz bash43-008 bash43-016 bash43-024 bash-4.3.tar.gz.sig bash43-008.sig bash43-016.sig bash43-024.sig bash43-001 bash43-009 bash43-017 bash43-025 bash43-001.sig bash43-009.sig bash43-017.sig bash43-025.sig bash43-002 bash43-010 bash43-018 bash43-026 bash43-002.sig bash43-010.sig bash43-018.sig bash43-026.sig bash43-003 bash43-011 bash43-019 bash43-027 bash43-003.sig bash43-011.sig bash43-019.sig bash43-027.sig bash43-004 bash43-012 bash43-020 bash43-028 bash43-004.sig bash43-012.sig bash43-020.sig bash43-028.sig bash43-005 bash43-013 bash43-021 bash43-029 bash43-005.sig bash43-013.sig bash43-021.sig bash43-029.sig bash43-006 bash43-014 bash43-022 bash43-006.sig bash43-014.sig bash43-022.sig bash43-007 bash43-015 bash43-023 Go under ksh Important for {1-29%03d} $ ksh $ cd bash-4.3 Apply all patch 001 to 029 $ for p in {1..29%03d} ksh is powerfull than bash do gpatch -p0 ../bash43-$p done $ ./configure $ gmake $ gmake install /usr/local/bin/bash --version GNU bash, version 4.3.29(1)-release (i386-pc-solaris2.11) Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. /usr/local/bin/bash Verify it's OK Then cd /usr/bin mv bash bash-oi_151a9 ln -s /usr/local/bin/bash bash Message du 02/10/14 17:13 De : Alan Coopersmith A : Discussion list for OpenIndiana Copie à : Objet : Re: [OpenIndiana-discuss] Bash bug issue On 10/ 2/14 07:00 AM, Brandon Hume wrote: On many (most? all?) Linuxes, /bin/sh *is* /bin/bash. Many, but not all - the Debian family and some others use a lighter weight, POSIX compatible shell instead, dash, the Debian Almquist Shell; and many embedded distros use BusyBox instead. https://en.wikipedia.org/wiki/Almquist_shell http://lwn.net/Articles/343924/ -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - http://blogs.oracle.com/alanc ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On Sat, 4 Oct 2014, cpforum wrote: First : building openindiana a10 with updated commands (including a secure bash) urge :-) Second : because ksh is ten time powerfull and reliable than bash leave bash and adopt ksh. If you want history put ' set -o emacs' inside your .profile ksh provided by OpenIndiana is also outdated and broken. :-( Your instructions are useful. It is always good to execute 'gmake check' before installing sofware that comes with a test suite. Some bash tests seem to fail. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
Message du 04/10/14 17:28 De : Bob Friesenhahn A : Discussion list for OpenIndiana Copie à : Objet : Re: [OpenIndiana-discuss] Bash bug issue ksh provided by OpenIndiana is also outdated and broken. :-( Your instructions are useful. It is always good to execute 'gmake check' before installing sofware that comes with a test suite. Some bash tests seem to fail. Bob ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
2014-10-02 1:06 GMT+02:00 Bob Friesenhahn bfrie...@simple.dallas.tx.us: I am not sure who has the ability to build and update OpenIndiana packages, but it will be really really bad for the future of OpenIndiana if it fails to supply a fixed version of its bash package. I have only one system running OpenIndiana, not a webserver. This little bug indeed makes one wonder if OpenIndiana ever pays any attention to security at all. Looks like there's no one home at http://openindiana.org/support/security-advisories/ ... Note taken. -- Frank Van Damme Make everything as simple as possible, but not simpler. - Albert Einstein ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
Am 03.10.2014 um 11:49 schrieb Frank Van Damme frank.vanda...@gmail.com: 2014-10-02 1:06 GMT+02:00 Bob Friesenhahn bfrie...@simple.dallas.tx.us: I am not sure who has the ability to build and update OpenIndiana packages, but it will be really really bad for the future of OpenIndiana if it fails to supply a fixed version of its bash package. I have only one system running OpenIndiana, not a webserver. This little bug indeed makes one wonder if OpenIndiana ever pays any attention to security at all. Looks like there's no one home at http://openindiana.org/support/security-advisories/ ... Note taken. What most people don’t understand is that OpenIndiana is YOURS. OpenIndiana is just a name with no company behind. If you want something and nobody else is doing it then do it by yourself. So instead of taking notes you should start acting. Andreas ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
Has anyone tried to install the patched BASH version of https://unixpackages.com [1] ? It installs to a different location then the OI Bash and gives an error : bash --version ld.so.1: bash: fatal: libintl.so.8: open failed: No such file or directory Killed does anyone have a solution for a manual update of bash? Links: -- [1] https://unixpackages.com ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 26/09/2014 8:47 PM, Gary Gendel wrote: The current maintainer says it's been in bash for ~20 years, why it's not in Solaris 10 is a mystery. It is in Solaris 10. (And 11.) The test being used is flawed: env X=() { :;} ; echo busted /bin/sh -c echo completed This just tests whether or not /bin/sh is vulnerable, and on Solaris /bin/sh != /bin/bash (unless your admin is insane and dropped it in place, which can't really be ruled out). On many (most? all?) Linuxes, /bin/sh *is* /bin/bash. So Solaris and derivatives have the bug, but the attack surface isn't anywhere near as massive as on a Linux distribution. But if someone has written scripts explicitly using /bin/bash, or if you have sudo configurations that don't clean out the environment, you can get bitten. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 10/ 2/14 07:20 AM, Bob Friesenhahn wrote: On Thu, 2 Oct 2014, Brandon Hume wrote: On 26/09/2014 8:47 PM, Gary Gendel wrote: The current maintainer says it's been in bash for ~20 years, why it's not in Solaris 10 is a mystery. It is in Solaris 10. (And 11.) The test being used is flawed: env X=() { :;} ; echo busted /bin/sh -c echo completed The good news is that if you have a support contract, there is a Solaris 10 bash patch which seems to solve all the reported attack vectors (in my own testing). It took Oracle two patches to get things right. People found more bugs after the first patch went out. There are 6 CVE's for bash announced in the last week after all. -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - http://blogs.oracle.com/alanc ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 10/ 2/14 07:00 AM, Brandon Hume wrote: On many (most? all?) Linuxes, /bin/sh *is* /bin/bash. Many, but not all - the Debian family and some others use a lighter weight, POSIX compatible shell instead, dash, the Debian Almquist Shell; and many embedded distros use BusyBox instead. https://en.wikipedia.org/wiki/Almquist_shell http://lwn.net/Articles/343924/ -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - http://blogs.oracle.com/alanc ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
It is very strange with the oracle updates for Solaris 10 11 Is far as I can see, Solaris 10 and Solaris 11 get different bash versions after the patch. I don't know what is allowed to say about it in public, but both test negative on the (simple) shockshell tests I found. (so they seem secured) -Oorspronkelijk bericht- Van: Alan Coopersmith [mailto:alan.coopersm...@oracle.com] Verzonden: donderdag 2 oktober 2014 17:10 Aan: Discussion list for OpenIndiana Onderwerp: Re: [OpenIndiana-discuss] Bash bug issue On 10/ 2/14 07:20 AM, Bob Friesenhahn wrote: On Thu, 2 Oct 2014, Brandon Hume wrote: On 26/09/2014 8:47 PM, Gary Gendel wrote: The current maintainer says it's been in bash for ~20 years, why it's not in Solaris 10 is a mystery. It is in Solaris 10. (And 11.) The test being used is flawed: env X=() { :;} ; echo busted /bin/sh -c echo completed The good news is that if you have a support contract, there is a Solaris 10 bash patch which seems to solve all the reported attack vectors (in my own testing). It took Oracle two patches to get things right. People found more bugs after the first patch went out. There are 6 CVE's for bash announced in the last week after all. -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - http://blogs.oracle.com/alanc ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 10/ 2/14 01:37 PM, outsider wrote: It is very strange with the oracle updates for Solaris 10 11 Is far as I can see, Solaris 10 and Solaris 11 get different bash versions after the patch. They had different bash versions before the patch too. Upstream released fixes for bash versions from 2.0 to 4.3, so that distros/packagers weren't forced to update to the latest just to get the fixes. There is nothing strange here, just don't expect to have the same software versions in two OS's released 7 years apart. -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - http://blogs.oracle.com/alanc ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
So, do you mean that ksh93 does not have the vulnerability? http://lists.research.att.com/pipermail/ast-developers/2014q3/003964.html On Tue, Sep 30, 2014 at 10:02 AM, Bob Friesenhahn bfrie...@simple.dallas.tx.us wrote: On Tue, 30 Sep 2014, Jim Klimov wrote: Maybe a stupid question on my side (sorry i'm overwhelmed with relocation and other life events), but how really is this bug exploitable? Especially on Solaris and illumos systems with sh/ksh by default and assumed no scripted CGI (hosts of native or java sourced web-code though) ? It is readily exploitable for web CGI scripts which provide/export values provided by the web server and remote client as environment variables. The CGI paradigm has thoroughly permiated web application infrastructures. The exploit requires that bash be executed with the problematic environment variables already set. Service applications obtained from Linux often require bash in order to run. On my own systems, the only service I found which was suspect was 'git' and 'gitweb.cgi' since the 'git' implementation depends on many shell scripts, which specifically depend on bash. For example, this is output from the test-cgi script provided with Apache: CGI/1.0 test script report: argc is 0. argv is . SERVER_SOFTWARE = Apache/2.0.63 (Unix) DAV/2 SERVER_NAME = www.simplesystems.org GATEWAY_INTERFACE = CGI/1.1 SERVER_PROTOCOL = HTTP/1.1 SERVER_PORT = 80 REQUEST_METHOD = GET HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,*/*; q=0.8 PATH_INFO = PATH_TRANSLATED = SCRIPT_NAME = /cgi-bin/test-cgi QUERY_STRING = REMOTE_HOST = REMOTE_ADDR = 65.66.245.66 REMOTE_USER = AUTH_TYPE = CONTENT_TYPE = CONTENT_LENGTH = and this is output from a Perl script called 'printenv' which prints everything made available: DOCUMENT_ROOT=/html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html,application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 HTTP_ACCEPT_ENCODING=gzip, deflate HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.5 HTTP_CONNECTION=keep-alive HTTP_HOST=www.simplesystems.org HTTP_USER_AGENT=Mozilla/5.0 (X11; SunOS i86pc; rv:30.0) Gecko/20100101 Firefox/30.0 PATH=/usr/sbin:/usr/bin QUERY_STRING= REMOTE_ADDR=65.66.245.66 REMOTE_PORT=53877 REQUEST_METHOD=GET REQUEST_URI=/cgi-bin/printenv SCRIPT_FILENAME=/var/apache2/cgi-bin/printenv SCRIPT_NAME=/cgi-bin/printenv SERVER_ADDR=65.66.246.89 SERVER_ADMIN=webma...@simplesystems.org SERVER_NAME=www.simplesystems.org SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE=addressApache/2.0.63 (Unix) DAV/2 Server at www.simplesystems.org Port 80/address\n SERVER_SOFTWARE=Apache/2.0.63 (Unix) DAV/2 TZ=US/Central UNIQUE_ID=rExdoEFC9koAAEJpoxgJ -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
I am not sure who has the ability to build and update OpenIndiana packages, but it will be really really bad for the future of OpenIndiana if it fails to supply a fixed version of its bash package. This article (including many example exploits) was posted on another list: http://www.fireeye.com/blog/technical/2014/09/shellshock-in-the-wild.html Known exploits include Web CGI, DHCP client, OpenVPN, ssh, gitweb, and (possibly) git service. Even if the service is implemented in Perl, Python, Java, or C, it may still be exploitable if it exports externally-provided data as environment variables some program it invokes eventually happens to execute bash. While bash is not a native shell for OpenIndiana, it is quite heavily used. It is unfortunate that it is often used as a user login shell so it is painful to simply move the existing binary to the side. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
I’m in a similar situation: Solaris 11 at home, without support contract. My solution was to install OpenCSW’s updated bash (I had OpenCSW in place anyway), move /usr/bin/bash out of the way, and symlink /opt/csw/bin/bash to /usr/bin/bash. Use a copy instead of a symlink if /opt is a separate filesystem! And remember to undo those changes to /usr/bin _before_ installing a properly packaged update. Until Apple released their fix, I did something similar on my Macs using MacPorts. It’s temporary, and all my publicly accessible web servers etc have access controls anyway; but until a legitimate update comes along, it’s a lot better than nothing. For Solaris 11, I’ll just have to wait for 11.3 to have an official fix without support contract (probably six months or so?). On Oct 1, 2014, at 7:06 PM, Bob Friesenhahn bfrie...@simple.dallas.tx.us wrote: I am not sure who has the ability to build and update OpenIndiana packages, but it will be really really bad for the future of OpenIndiana if it fails to supply a fixed version of its bash package. This article (including many example exploits) was posted on another list: http://www.fireeye.com/blog/technical/2014/09/shellshock-in-the-wild.html Known exploits include Web CGI, DHCP client, OpenVPN, ssh, gitweb, and (possibly) git service. Even if the service is implemented in Perl, Python, Java, or C, it may still be exploitable if it exports externally-provided data as environment variables some program it invokes eventually happens to execute bash. While bash is not a native shell for OpenIndiana, it is quite heavily used. It is unfortunate that it is often used as a user login shell so it is painful to simply move the existing binary to the side. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On Oct 1, 2014, at 7:06 PM, Bob Friesenhahn bfrie...@simple.dallas.tx.us wrote: I am not sure who has the ability to build and update OpenIndiana packages, but it will be really really bad for the future of OpenIndiana if it fails to supply a fixed version of its bash package. This article (including many example exploits) was posted on another list: http://www.fireeye.com/blog/technical/2014/09/shellshock-in-the-wild.html Known exploits include Web CGI, DHCP client, OpenVPN, ssh, gitweb, and (possibly) git service. Even if the service is implemented in Perl, Python, Java, or C, it may still be exploitable if it exports externally-provided data as environment variables some program it invokes eventually happens to execute bash. While bash is not a native shell for OpenIndiana, it is quite heavily used. It is unfortunate that it is often used as a user login shell so it is painful to simply move the existing binary to the side. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
Bruce Lilly bruce.li...@gmail.com writes: http://lists.research.att.com/pipermail/ast-developers/2014q3/003964.html Thanks for that... that is encouraging. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
We have tested all our systems, and the only ones that were vulnerable (in cgi-bin) were ones that we had put in a bash script to test. if you don't have any bash scripts in your cgi-bin, and your default system shll is not bash (and on Solaris, and Ubuntu it isn't) then you pretty much aren't exploitable via a web-server. there are possible issues if you have restricted users/remote logons ... if the user has the bash shell as their default it is possible to escape from the restricted environment. e.g. http://troy.jdmz.net/rsync/index.html where you have a validate-rsync procedure that checks if you are connecting with the command rsync ... (the easiest way to fix the above is to create an rsyncd server and connect to that, rather than ssh'ing) also, although it's annoying you probably want to go around and delete all your authorized_keys files so that you cannot ssh in without a password. I'm not sure, but I've been told that github/heroku use bash for the shells that they allow remote connections on, I don't know if they are exploitable remotely, but I don't really want to check that out :) remember that you can only use this bug to run commands as the user who is logged on ... if the person knows the username and password already then they can just run the command straight. Jon On 30 September 2014 09:40, Jim Klimov jimkli...@cos.ru wrote: 29 сентября 2014 г. 17:46:20 CEST, Jason Matthews ja...@broken.net пишет: paraphrasing Joshua from WarGames, bash is a strange game where the only winning move is not to play. J. Sent from my iPhone On Sep 29, 2014, at 2:43 AM, Udo Grabowski (IMK) udo.grabow...@kit.edu wrote: As predicted, there's more bash horror (Score 11): ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss Maybe a stupid question on my side (sorry i'm overwhelmed with relocation and other life events), but how really is this bug exploitable? Especially on Solaris and illumos systems with sh/ksh by default and assumed no scripted CGI (hosts of native or java sourced web-code though) ? I mean, from what I gather, the bug allows to execute unexpected code with credentials of the user that executes bash. On a local system someone should already have a login to do that (or a hacked backdoor), so may have other means for doing mischief. Can it be used to elevate? How? Via config files for root-executed initscripts and cronjobs? If these are editable by a random untrustworthy user, the system is already busted without the bug... I kinda get the point about web-scripts especially where system programs can be called with the default shell of the webserver account (bash for some), although did not really grasp from cursory looks at the articles just how the env-function can be passed via http requests to do the exploit. Let's assume it can be done... as protection/precaution, would it suffice to make sure that apache's and such do not use bash in their /etc/passwd fields (and restart the daemons)? Also, did anyone (beside Oracle) already build and publish a replacement SUNWbash for legacy Solaris 8-10 systems? ;) Thanks, Jim -- Typos courtesy of K-9 Mail on my Samsung Android ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On Tue, 30 Sep 2014, Jim Klimov wrote: Maybe a stupid question on my side (sorry i'm overwhelmed with relocation and other life events), but how really is this bug exploitable? Especially on Solaris and illumos systems with sh/ksh by default and assumed no scripted CGI (hosts of native or java sourced web-code though) ? It is readily exploitable for web CGI scripts which provide/export values provided by the web server and remote client as environment variables. The CGI paradigm has thoroughly permiated web application infrastructures. The exploit requires that bash be executed with the problematic environment variables already set. Service applications obtained from Linux often require bash in order to run. On my own systems, the only service I found which was suspect was 'git' and 'gitweb.cgi' since the 'git' implementation depends on many shell scripts, which specifically depend on bash. For example, this is output from the test-cgi script provided with Apache: CGI/1.0 test script report: argc is 0. argv is . SERVER_SOFTWARE = Apache/2.0.63 (Unix) DAV/2 SERVER_NAME = www.simplesystems.org GATEWAY_INTERFACE = CGI/1.1 SERVER_PROTOCOL = HTTP/1.1 SERVER_PORT = 80 REQUEST_METHOD = GET HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 PATH_INFO = PATH_TRANSLATED = SCRIPT_NAME = /cgi-bin/test-cgi QUERY_STRING = REMOTE_HOST = REMOTE_ADDR = 65.66.245.66 REMOTE_USER = AUTH_TYPE = CONTENT_TYPE = CONTENT_LENGTH = and this is output from a Perl script called 'printenv' which prints everything made available: DOCUMENT_ROOT=/html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 HTTP_ACCEPT_ENCODING=gzip, deflate HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.5 HTTP_CONNECTION=keep-alive HTTP_HOST=www.simplesystems.org HTTP_USER_AGENT=Mozilla/5.0 (X11; SunOS i86pc; rv:30.0) Gecko/20100101 Firefox/30.0 PATH=/usr/sbin:/usr/bin QUERY_STRING= REMOTE_ADDR=65.66.245.66 REMOTE_PORT=53877 REQUEST_METHOD=GET REQUEST_URI=/cgi-bin/printenv SCRIPT_FILENAME=/var/apache2/cgi-bin/printenv SCRIPT_NAME=/cgi-bin/printenv SERVER_ADDR=65.66.246.89 SERVER_ADMIN=webma...@simplesystems.org SERVER_NAME=www.simplesystems.org SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE=addressApache/2.0.63 (Unix) DAV/2 Server at www.simplesystems.org Port 80/address\n SERVER_SOFTWARE=Apache/2.0.63 (Unix) DAV/2 TZ=US/Central UNIQUE_ID=rExdoEFC9koAAEJpoxgJ -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 25/09/2014 10:42, Jonathan Adams wrote: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ does anyone know if this affects us? As predicted, there's more bash horror (Score 11): http://lcamtuf.blogspot.de/2014/09/bash-bug-apply-unofficial-patch-now.html -- Dr.Udo Grabowski Inst.f.Meteorology Climate Research IMK-ASF-SAT http://www.imk-asf.kit.edu/english/sat.php KIT - Karlsruhe Institute of Technology http://www.kit.edu Postfach 3640,76021 Karlsruhe,Germany T:(+49)721 608-26026 F:-926026 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
paraphrasing Joshua from WarGames, bash is a strange game where the only winning move is not to play. J. Sent from my iPhone On Sep 29, 2014, at 2:43 AM, Udo Grabowski (IMK) udo.grabow...@kit.edu wrote: As predicted, there's more bash horror (Score 11): ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
Hopefully some kind person with necessary knowlege and access will push an updated bash package which works on 151a8/9 so that servers based on OpenIndiana are no longer a disaster situation. It might be necessary to do this a few times until an official proper cure is posted. One service I found (self-compiled in my case) which seemed to be riddled with bash is git service and git web since git uses many shell scripts as part of its implementation and chooses bash. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 26 September 2014 20:04, Saso Kiselkov skiselkov...@gmail.com wrote: The invoking shell is irrelevant. Here's your problem: vvv env X=() { :;} ; echo busted /bin/sh -c echo completed ^^^ Put bash in there and you'll get a vulnerable busted result. Of course, thank you, I never noticed that I was runing /bin/sh, not /bin/bash. Moral of the story: Neverl operate heavy machinery or shell scripts when tired. N. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
Gary Gendel g...@genashor.com writes: I believe we mostly skirt the issue because, unlike Linux, the default shell (/bin/sh) is ksh93 not bash. This means that under normal conditions we shouldn't have an issue. Only if your cgi scripts actually request bash will apache be a problem. As for ssh, it depends upon the login shell for the user. So, do you mean that ksh93 does not have the vulnerability? ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 26 September 2014 17:02, Harry Putnam rea...@newsguy.com wrote: Gary Gendel g...@genashor.com writes: I believe we mostly skirt the issue because, unlike Linux, the default shell (/bin/sh) is ksh93 not bash. This means that under normal conditions we shouldn't have an issue. Only if your cgi scripts actually request bash will apache be a problem. As for ssh, it depends upon the login shell for the user. So, do you mean that ksh93 does not have the vulnerability? Whence does the OI bash source originate? On the bash that comes with Solaris 10, the vulnerability is not present: [~]= bash --version GNU bash, version 3.00.16(1)-release (sparc-sun-solaris2.10) Copyright (C) 2004 Free Software Foundation, Inc. [~]= env X=() { :;} ; echo busted /bin/sh -c echo completed completed N. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 9/27/14, 1:41 AM, Nemo wrote: On 26 September 2014 17:02, Harry Putnam rea...@newsguy.com wrote: Gary Gendel g...@genashor.com writes: I believe we mostly skirt the issue because, unlike Linux, the default shell (/bin/sh) is ksh93 not bash. This means that under normal conditions we shouldn't have an issue. Only if your cgi scripts actually request bash will apache be a problem. As for ssh, it depends upon the login shell for the user. So, do you mean that ksh93 does not have the vulnerability? Whence does the OI bash source originate? On the bash that comes with Solaris 10, the vulnerability is not present: [~]= bash --version GNU bash, version 3.00.16(1)-release (sparc-sun-solaris2.10) Copyright (C) 2004 Free Software Foundation, Inc. [~]= env X=() { :;} ; echo busted /bin/sh -c echo completed completed In general, bash != /bin/sh on either Solaris or Illumos-derived systems. Rerun the env test with bash instead of /bin/sh. -- Saso ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
The current maintainer says it's been in bash for ~20 years, why it's not in Solaris 10 is a mystery. On 9/26/14, 7:41 PM, Nemo wrote: On 26 September 2014 17:02, Harry Putnam rea...@newsguy.com wrote: Gary Gendel g...@genashor.com writes: I believe we mostly skirt the issue because, unlike Linux, the default shell (/bin/sh) is ksh93 not bash. This means that under normal conditions we shouldn't have an issue. Only if your cgi scripts actually request bash will apache be a problem. As for ssh, it depends upon the login shell for the user. So, do you mean that ksh93 does not have the vulnerability? Whence does the OI bash source originate? On the bash that comes with Solaris 10, the vulnerability is not present: [~]= bash --version GNU bash, version 3.00.16(1)-release (sparc-sun-solaris2.10) Copyright (C) 2004 Free Software Foundation, Inc. [~]= env X=() { :;} ; echo busted /bin/sh -c echo completed completed N. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 26 September 2014 19:44, Saso Kiselkov skiselkov...@gmail.com wrote: On 9/27/14, 1:41 AM, Nemo wrote: [...] Whence does the OI bash source originate? On the bash that comes with Solaris 10, the vulnerability is not present: [~]= bash --version GNU bash, version 3.00.16(1)-release (sparc-sun-solaris2.10) Copyright (C) 2004 Free Software Foundation, Inc. [~]= env X=() { :;} ; echo busted /bin/sh -c echo completed completed In general, bash != /bin/sh on either Solaris or Illumos-derived systems. Rerun the env test with bash instead of /bin/sh. [~]= echo $SHELL /bin/bash [~]= env X=() { :;} ; echo busted /bin/sh -c echo completed completed Note that I put bash into /bin to avoid GNUisms. N. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 26 September 2014 19:47, Gary Gendel g...@genashor.com wrote: The current maintainer says it's been in bash for ~20 years, why it's not in Solaris 10 is a mystery. If you which files, I can dig out the source from the companion disc and compare. N. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 09/26/14 16:59, Nemo wrote: [~]= echo $SHELL /bin/bash [~]= env X=() { :;} ; echo busted /bin/sh -c echo completed completed Note that I put bash into /bin to avoid GNUisms. Try: $ env X=() { :;} ; echo busted /bin/bash -c echo completed ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 9/27/14, 1:59 AM, Nemo wrote: On 26 September 2014 19:44, Saso Kiselkov skiselkov...@gmail.com wrote: On 9/27/14, 1:41 AM, Nemo wrote: [...] Whence does the OI bash source originate? On the bash that comes with Solaris 10, the vulnerability is not present: [~]= bash --version GNU bash, version 3.00.16(1)-release (sparc-sun-solaris2.10) Copyright (C) 2004 Free Software Foundation, Inc. [~]= env X=() { :;} ; echo busted /bin/sh -c echo completed completed In general, bash != /bin/sh on either Solaris or Illumos-derived systems. Rerun the env test with bash instead of /bin/sh. [~]= echo $SHELL /bin/bash [~]= env X=() { :;} ; echo busted /bin/sh -c echo completed completed Note that I put bash into /bin to avoid GNUisms. The invoking shell is irrelevant. Here's your problem: vvv env X=() { :;} ; echo busted /bin/sh -c echo completed ^^^ Put bash in there and you'll get a vulnerable busted result. -- Saso ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
I guess you can test it yourself: $ env x='() { :;}; echo vulnerable' bash -c echo this is a test 2014-09-25 10:42 GMT+02:00 Jonathan Adams t12nsloo...@gmail.com: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ does anyone know if this affects us? ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
Hi, I have already upgraded from /hipster-2014.1 which has fix in it: http://github.com/OpenIndiana/oi-userland/commit/35d2023cdaeba3486586ffb59e4f8a1ecc7a2c24 So, it affects all I guess, until bash is updated. Regards. On 09/25/14 10:42 AM, Jonathan Adams wrote: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ does anyone know if this affects us? ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss -- Predrag Zečević, Technical Support Analyst, 2e Systems GmbH Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894 Mobile:+49 174 3109 288, Skype: predrag.zecevic E-mail:predrag.zece...@2e-systems.com Headquarter: 2e Systems GmbH, Königsteiner Str. 87, 65812 Bad Soden am Taunus, Germany Company registration: Amtsgericht Königstein (Germany), HRB 7303 Managing director:Phil Douglas http://www.2e-systems.com/ - Making your business fly! [***]===--- Your code should be more efficient! ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 25/09/2014 10:42, Jonathan Adams wrote: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ The bug works, so we are affected with everything that is based on bash, as well as all users using bash in their projects. This is a bug with high impact and risks, so a fix should be available for oi dev and hipster as fast as possible. -- Dr.Udo Grabowski Inst.f.Meteorology Climate Research IMK-ASF-SAT http://www.imk-asf.kit.edu/english/sat.php KIT - Karlsruhe Institute of Technology http://www.kit.edu Postfach 3640,76021 Karlsruhe,Germany T:(+49)721 608-26026 F:-926026 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 09/25/2014 12:46, Udo Grabowski (IMK) wrote: On 25/09/2014 10:42, Jonathan Adams wrote: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ The bug works, so we are affected with everything that is based on bash, as well as all users using bash in their projects. This is a bug with high impact and risks, so a fix should be available for oi dev and hipster as fast as possible. Hello. I've seen fix for CVE-2014-6271, which I've already committed, but not for CVE-2014-7169... -- Best regards, Alexander Pyhalov, system administrator of Southern Federal University IT department ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 25/09/2014 6:50 PM, Alexander Pyhalov wrote: On 09/25/2014 12:46, Udo Grabowski (IMK) wrote: On 25/09/2014 10:42, Jonathan Adams wrote: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ The bug works, so we are affected with everything that is based on bash, as well as all users using bash in their projects. This is a bug with high impact and risks, so a fix should be available for oi dev and hipster as fast as possible. Hello. I've seen fix for CVE-2014-6271, which I've already committed, but not for CVE-2014-7169... I'm stuck on 151a8 at the moment, is there any chance a fixed bash binary could be made available somewhere? ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 09/25/2014 15:08, Carl Brewer wrote: On 25/09/2014 6:50 PM, Alexander Pyhalov wrote: On 09/25/2014 12:46, Udo Grabowski (IMK) wrote: On 25/09/2014 10:42, Jonathan Adams wrote: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ The bug works, so we are affected with everything that is based on bash, as well as all users using bash in their projects. This is a bug with high impact and risks, so a fix should be available for oi dev and hipster as fast as possible. Hello. I've seen fix for CVE-2014-6271, which I've already committed, but not for CVE-2014-7169... I'm stuck on 151a8 at the moment, is there any chance a fixed bash binary could be made available somewhere? Binary will likely not work, because it was compiled with later libc version. But you can try compile it yourself (you can look at using oi-userland on /dev - https://github.com/OpenIndiana/oi-userland, it can work with some tweaks to configs). -- С уважением, Александр Пыхалов, программист отдела телекоммуникационной инфраструктуры управления информационно-коммуникационной инфраструктуры ЮФУ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 25/09/2014 13:08, Carl Brewer wrote: On 25/09/2014 6:50 PM, Alexander Pyhalov wrote: On 09/25/2014 12:46, Udo Grabowski (IMK) wrote: On 25/09/2014 10:42, Jonathan Adams wrote: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ The bug works, so we are affected with everything that is based on bash, as well as all users using bash in their projects. This is a bug with high impact and risks, so a fix should be available for oi dev and hipster as fast as possible. Hello. I've seen fix for CVE-2014-6271, which I've already committed, but not for CVE-2014-7169... I'm stuck on 151a8 at the moment, is there any chance a fixed bash binary could be made available somewhere? Recent discussions seem to lead to a general security concern with the crippled bash parser, so there nearly certainly will be more and more security issues in the next days to come up. I think the better alternative is to provide 'dash' and symlink bash to dash instead, as dash much cleaner, faster, and POSIX - compliant. Although, as it has not been widely used as bash yet, could have its own bugs not yet discovered -- Dr.Udo Grabowski Inst.f.Meteorology Climate Research IMK-ASF-SAT http://www.imk-asf.kit.edu/english/sat.php KIT - Karlsruhe Institute of Technology http://www.kit.edu Postfach 3640,76021 Karlsruhe,Germany T:(+49)721 608-26026 F:-926026 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 25/09/2014 9:28 PM, Alexander Pyhalov wrote: On 09/25/2014 15:08, Carl Brewer wrote: On 25/09/2014 6:50 PM, Alexander Pyhalov wrote: On 09/25/2014 12:46, Udo Grabowski (IMK) wrote: On 25/09/2014 10:42, Jonathan Adams wrote: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ The bug works, so we are affected with everything that is based on bash, as well as all users using bash in their projects. This is a bug with high impact and risks, so a fix should be available for oi dev and hipster as fast as possible. Hello. I've seen fix for CVE-2014-6271, which I've already committed, but not for CVE-2014-7169... I'm stuck on 151a8 at the moment, is there any chance a fixed bash binary could be made available somewhere? Binary is here. http://buildzone.oi-build.r61.net/bash It runs on /dev for me, but I have /dev with freshly rebuilt illumos-gate. You can try if it works for you. Of course, I don't guarantee that it will not eat your data :) It's not immediately happy : $ ./bash --version ld.so.1: bash: fatal: libc.so.1: version 'ILLUMOS_0.8' not found (required by file bash) ld.so.1: bash: fatal: libc.so.1: open failed: No such file or directory Killed ldd ./bash libcurses.so.1 =/lib/libcurses.so.1 libdl.so.1 =/lib/libdl.so.1 libc.so.1 = /lib/libc.so.1 libc.so.1 (ILLUMOS_0.8) = (version not found) libsocket.so.1 =/lib/libsocket.so.1 libgen.so.1 = /lib/libgen.so.1 libnsl.so.1 = /lib/libnsl.so.1 libmp.so.2 =/lib/libmp.so.2 libmd.so.1 =/lib/libmd.so.1 libm.so.2 = /lib/libm.so.2 I wonder, I've tried in the past to bump this box to 151a9 but had problems with messy pkg errors that I didn't have the time to sort out - how stable is hipster these days? Stable enough to run a LAN server with a couple of Virtualbox VM's on it? ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
Don't get too up in a rush to upgrade bash. It's just been verified that the patch isn't actually effective. :( -brian On Thu, Sep 25, 2014 at 09:31:52PM +1000, Carl Brewer wrote: On 25/09/2014 9:28 PM, Alexander Pyhalov wrote: On 09/25/2014 15:08, Carl Brewer wrote: On 25/09/2014 6:50 PM, Alexander Pyhalov wrote: On 09/25/2014 12:46, Udo Grabowski (IMK) wrote: On 25/09/2014 10:42, Jonathan Adams wrote: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ The bug works, so we are affected with everything that is based on bash, as well as all users using bash in their projects. This is a bug with high impact and risks, so a fix should be available for oi dev and hipster as fast as possible. Hello. I've seen fix for CVE-2014-6271, which I've already committed, but not for CVE-2014-7169... I'm stuck on 151a8 at the moment, is there any chance a fixed bash binary could be made available somewhere? Binary is here. http://buildzone.oi-build.r61.net/bash It runs on /dev for me, but I have /dev with freshly rebuilt illumos-gate. You can try if it works for you. Of course, I don't guarantee that it will not eat your data :) It's not immediately happy : $ ./bash --version ld.so.1: bash: fatal: libc.so.1: version 'ILLUMOS_0.8' not found (required by file bash) ld.so.1: bash: fatal: libc.so.1: open failed: No such file or directory Killed ldd ./bash libcurses.so.1 =/lib/libcurses.so.1 libdl.so.1 =/lib/libdl.so.1 libc.so.1 = /lib/libc.so.1 libc.so.1 (ILLUMOS_0.8) = (version not found) libsocket.so.1 =/lib/libsocket.so.1 libgen.so.1 = /lib/libgen.so.1 libnsl.so.1 = /lib/libnsl.so.1 libmp.so.2 =/lib/libmp.so.2 libmd.so.1 =/lib/libmd.so.1 libm.so.2 = /lib/libm.so.2 I wonder, I've tried in the past to bump this box to 151a9 but had problems with messy pkg errors that I didn't have the time to sort out - how stable is hipster these days? Stable enough to run a LAN server with a couple of Virtualbox VM's on it? ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 09/25/2014 15:31, Carl Brewer wrote: I wonder, I've tried in the past to bump this box to 151a9 but had problems with messy pkg errors that I didn't have the time to sort out - how stable is hipster these days? Stable enough to run a LAN server with a couple of Virtualbox VM's on it? Honestly, I don't know :) Usually if something is broken, it's desktop-related soft (as it's harder to test thoroughly). I think that in the nearest future Sun DHCP server will be removed from illumos-gate (and our users will immediately see this). I run several test VMs and VMs which I use in my courses (VirtualBox, VMware and KVM guests, but no OI host). There was no anything completely catastrophic. However, sometimes some issues appear (don't know if /dev has them). I think, you can try. Note, that dev = hipster updates are not supported now. The best way to install is to use install CDs: http://dlc.openindiana.org/isos/hipster/. -- Best regards, Alexander Pyhalov, system administrator of Southern Federal University IT department ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On Thu, 25 Sep 2014, Udo Grabowski (IMK) wrote: Recent discussions seem to lead to a general security concern with the crippled bash parser, so there nearly certainly will be more and more security issues in the next days to come up. I think the better alternative is to provide 'dash' and symlink bash to dash instead, as dash much cleaner, faster, and POSIX - compliant. Although, as it has not been widely used as bash yet, could have its own bugs not yet discovered Unfortunately, 'dash' is not completely compatible with scripts written for 'bash'. It is not clear to my why people write shell scripts targeting bash, but it seems to happen often. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 09/25/14 03:48 PM, Bob Friesenhahn wrote: On Thu, 25 Sep 2014, Udo Grabowski (IMK) wrote: Recent discussions seem to lead to a general security concern with the crippled bash parser, so there nearly certainly will be more and more security issues in the next days to come up. I think the better alternative is to provide 'dash' and symlink bash to dash instead, as dash much cleaner, faster, and POSIX - compliant. Although, as it has not been widely used as bash yet, could have its own bugs not yet discovered Unfortunately, 'dash' is not completely compatible with scripts written for 'bash'. It is not clear to my why people write shell scripts targeting bash, but it seems to happen often. Bob Probably because they are coming from Linux background... I had to leave ksh because of that ... Regards. -- Predrag Zečević, Technical Support Analyst, 2e Systems GmbH Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894 Mobile:+49 174 3109 288, Skype: predrag.zecevic E-mail:predrag.zece...@2e-systems.com Headquarter: 2e Systems GmbH, Königsteiner Str. 87, 65812 Bad Soden am Taunus, Germany Company registration: Amtsgericht Königstein (Germany), HRB 7303 Managing director:Phil Douglas http://www.2e-systems.com/ - Making your business fly! [***]===--- Never put off till run-time what you can do at compile-time. -- D. Gries ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
In regard to: Re: [OpenIndiana-discuss] Bash bug issue, Bob Friesenhahn...: Unfortunately, 'dash' is not completely compatible with scripts written for 'bash'. It is not clear to my why people write shell scripts targeting bash, but it seems to happen often. Two reasons: - It's the all the world's a VAX syndrome for the current generation. - bash (and ksh) do provide some handy features that traditional Bourne shell does not, and for a large portion of inexperienced programmers, convenience/laziness trumps portability Both things drive me crazy, but they've been going on for my entire career in computing, so I have no reason to expect that either are going to ever disappear. Tim -- Tim Mooney tim.moo...@ndsu.edu Enterprise Computing Infrastructure 701-231-1076 (Voice) Room 242-J6, Quentin Burdick Building 701-231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
I believe we mostly skirt the issue because, unlike Linux, the default shell (/bin/sh) is ksh93 not bash. This means that under normal conditions we shouldn't have an issue. Only if your cgi scripts actually request bash will apache be a problem. As for ssh, it depends upon the login shell for the user. On 09/25/2014 01:04 PM, Tim Mooney wrote: In regard to: Re: [OpenIndiana-discuss] Bash bug issue, Bob Friesenhahn...: Unfortunately, 'dash' is not completely compatible with scripts written for 'bash'. It is not clear to my why people write shell scripts targeting bash, but it seems to happen often. Two reasons: - It's the all the world's a VAX syndrome for the current generation. - bash (and ksh) do provide some handy features that traditional Bourne shell does not, and for a large portion of inexperienced programmers, convenience/laziness trumps portability Both things drive me crazy, but they've been going on for my entire career in computing, so I have no reason to expect that either are going to ever disappear. Tim ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
I know I created the original post that sparked this debate, but I have to say that we've been checking our servers all day, and we cannot get any of them to act compromised ... we don't use bash scripts in our cgi-bin and nothing seems to try to run bash at all (fuser `which bash` only returns my shells) The ssh things could be an issue, but we're nuking all ssh authorized_keys wherever we find them, and we don't have accounts restricted to running specific applications via ssh, so the users who can ssh in should know what they're doing, or not know so much that they aren't a threat. I do have bash scripts on our system that users run manually, but that is because the old Solaris 10 /bin/sh is brain-dead, csh is a nasty piece of work for scripting and ksh scripts don't seem as portable to Linux/old Solaris boxes. Jon On 25 September 2014 18:18, Gary Gendel g...@genashor.com wrote: I believe we mostly skirt the issue because, unlike Linux, the default shell (/bin/sh) is ksh93 not bash. This means that under normal conditions we shouldn't have an issue. Only if your cgi scripts actually request bash will apache be a problem. As for ssh, it depends upon the login shell for the user. On 09/25/2014 01:04 PM, Tim Mooney wrote: In regard to: Re: [OpenIndiana-discuss] Bash bug issue, Bob Friesenhahn...: Unfortunately, 'dash' is not completely compatible with scripts written for 'bash'. It is not clear to my why people write shell scripts targeting bash, but it seems to happen often. Two reasons: - It's the all the world's a VAX syndrome for the current generation. - bash (and ksh) do provide some handy features that traditional Bourne shell does not, and for a large portion of inexperienced programmers, convenience/laziness trumps portability Both things drive me crazy, but they've been going on for my entire career in computing, so I have no reason to expect that either are going to ever disappear. Tim ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss