Re: bash velnerability
On Wed, Oct 01, 2014 at 06:58:58PM +0200, ga...@zahemszky.hu wrote: 2014-09-30 23:48 időpontban Jason Hellenthal ezt írta: I would agree with that. Considering the korn shell was found out to be importing functions from bash this morning that it does not completely know how to interpret goes to say that there is a much bigger issue at face here than the mere sys admins can begin to fathom quite yet. Can you provide us links to this Korn-shell problem? I think that Jason may have been referring to the discussion at: https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00350.html It talks about ksh misimporting environment variables in general, not just Bash functions. And which version of Korn-shell are you talking about? Eg. in FreeBSD ports, we have at least three different type of kshs: shells/ksh93 - the original, from ATT's David Korn shells/pdksh - a public domain reimplementation of the old ksh88 shells/mksh - the MirBSD's Korn-shell (a fork of pdksh) Well, the test with the following command: env 'a|b=1' ksh -c 'set' | fgrep -e 'a|b' ...shows that ksh93 is vulnerable, pdksh and mksh are not. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org p.penc...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 signature.asc Description: Digital signature
Re: bash velnerability
2014-09-30 23:48 időpontban Jason Hellenthal ezt írta: I would agree with that. Considering the korn shell was found out to be importing functions from bash this morning that it does not completely know how to interpret goes to say that there is a much bigger issue at face here than the mere sys admins can begin to fathom quite yet. Can you provide us links to this Korn-shell problem? And which version of Korn-shell are you talking about? Eg. in FreeBSD ports, we have at least three different type of kshs: shells/ksh93 - the original, from ATT's David Korn shells/pdksh - a public domain reimplementation of the old ksh88 shells/mksh - the MirBSD's Korn-shell (a fork of pdksh) Thanks, Gabor Gabor at Zahemszky dot HU ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: bash velnerability
On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote: On 9/29/2014 11:01 AM, Mike Tancsa wrote: On 9/26/2014 5:01 PM, Bryan Drewery wrote: On 9/26/2014 12:41 PM, Bryan Drewery wrote: On 9/26/2014 11:51 AM, Bryan Drewery wrote: On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: Apparently, the full fix is still not delivered, accordingly to this: http://seclists.org/oss-sec/2014/q3/741 Kind regards, Bartek Rutkowski I'm pretty sure they call that a feature. This is a bit different. I've disabled environment function importing in the port. Using --import-functions will allow it to work if you need it. Hi Bryan, With the latest ports, bashcheck still sees some issues with bash. Are these false positives on FreeBSD ? Using https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash -c true $(printf 'EOF %.0s' {1..79}) 2 /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser inactive, likely safe from unknown parser bugs ---Mike Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187. Applying the first patch for parse.y from the following post passed the tests for me. http://www.openwall.com/lists/oss-security/2014/09/25/32 In fact, all major Linux distros seem to use it now. FYI, Jung-uk Kim ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: bash velnerability
echo Testing Exploit 1 (CVE-2014-6271) CVE6271=$(env x='() { :;}; echo -n V' bash -c : 2/dev/null) [ ${CVE7187} == V ] echo VULNERABLE || echo NOT VULNERABLE echo Testing Exploit 2 (CVE-2014-7169) CVE7169=$(env X='() { (4lpi.com)=\' bash -c echo date 2/dev/null; cat echo 2/dev/null; rm -f echo) [ ! ${CVE7169} == date ] echo VULNERABLE || echo NOT VULNERABLE echo Testing Exploit 3 (CVE-2014-6277) CVE6277=$(env -i X=' () { }; echo -n V' bash -c :) [ ${CVE6277} == V ] echo VULNERABLE || echo NOT VULNERABLE echo Testing Exploit 4 (CVE-2014-7186) CVE7186=$(bash -c 'true EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF' 2/dev/null ||echo -n V) [ ${CVE7186} == V ] echo VULNERABLE || echo NOT VULNERABLE echo Testing Exploit 5 (CVE-2014-7187) CVE7187=$((for x in {1..200}; do echo for x$x in ; do :; done; for x in {1..200}; do echo done; done) |bash 2/dev/null ||echo -n V) [ ${CVE7187} == V ] echo VULNERABLE || echo NOT VULNERABLE” Good luck ;-) On Sep 30, 2014, at 13:54, Jung-uk Kim j...@freebsd.org wrote: On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote: On 9/29/2014 11:01 AM, Mike Tancsa wrote: On 9/26/2014 5:01 PM, Bryan Drewery wrote: On 9/26/2014 12:41 PM, Bryan Drewery wrote: On 9/26/2014 11:51 AM, Bryan Drewery wrote: On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: Apparently, the full fix is still not delivered, accordingly to this: http://seclists.org/oss-sec/2014/q3/741 Kind regards, Bartek Rutkowski I'm pretty sure they call that a feature. This is a bit different. I've disabled environment function importing in the port. Using --import-functions will allow it to work if you need it. Hi Bryan, With the latest ports, bashcheck still sees some issues with bash. Are these false positives on FreeBSD ? Using https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash -c true $(printf 'EOF %.0s' {1..79}) 2 /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser inactive, likely safe from unknown parser bugs ---Mike Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187. Applying the first patch for parse.y from the following post passed the tests for me. http://www.openwall.com/lists/oss-security/2014/09/25/32 In fact, all major Linux distros seem to use it now. FYI, Jung-uk Kim ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org -- Jason Hellenthal Mobile: +1 (616) 953-0176 jhellent...@dataix.net JJH48-ARIN ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: bash velnerability
On 9/30/2014 1:54 PM, Jung-uk Kim wrote: On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote: On 9/29/2014 11:01 AM, Mike Tancsa wrote: On 9/26/2014 5:01 PM, Bryan Drewery wrote: On 9/26/2014 12:41 PM, Bryan Drewery wrote: On 9/26/2014 11:51 AM, Bryan Drewery wrote: On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: Apparently, the full fix is still not delivered, accordingly to this: http://seclists.org/oss-sec/2014/q3/741 Kind regards, Bartek Rutkowski I'm pretty sure they call that a feature. This is a bit different. I've disabled environment function importing in the port. Using --import-functions will allow it to work if you need it. Hi Bryan, With the latest ports, bashcheck still sees some issues with bash. Are these false positives on FreeBSD ? Using https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash -c true $(printf 'EOF %.0s' {1..79}) 2 /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser inactive, likely safe from unknown parser bugs ---Mike Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187. Applying the first patch for parse.y from the following post passed the tests for me. http://www.openwall.com/lists/oss-security/2014/09/25/32 In fact, all major Linux distros seem to use it now. FYI, Jung-uk Kim I was holding off on this one as it had not proven to be remotely exploitable from what I saw. I was also wanting to see what upstream did before throwing more intrusive patches at our port. I even saw a reddit post last night complaining that OSX had updated bash only to leave it still vulnerable because of the redir_stack issue. I will apply the redir_stack patch since it's becoming an FAQ. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
On Sep 30, 2014, at 12:46 PM, Bryan Drewery bdrew...@freebsd.org wrote: [ ... ] I even saw a reddit post last night complaining that OSX had updated bash only to leave it still vulnerable because of the redir_stack issue. It doesn't seem to be? bash-3.2$ bash --version GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13) Copyright (C) 2007 Free Software Foundation, Inc. bash-3.2$ echo Testing Exploit 4 (CVE-2014-7186) Testing Exploit 4 (CVE-2014-7186) bash-3.2$ CVE7186=$(bash -c 'true EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF' 2/dev/null ||echo -n V) bash-3.2$ [ ${CVE7186} == V ] echo VULNERABLE || echo NOT VULNERABLE NOT VULNERABLE This being said, I'm not confident that there won't be further issues found with bash Regards, -- -Chuck ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: bash velnerability
I would agree with that. Considering the korn shell was found out to be importing functions from bash this morning that it does not completely know how to interpret goes to say that there is a much bigger issue at face here than the mere sys admins can begin to fathom quite yet. There is still more to come from this. We may not see the end of it for the next 10 years. But also to state bash 4.3.27 on 10-RELEASE-p9 reports as not vulnerable to the five known CVEs right now but that same shell compiled on a 9.1-RELEASE system is still vulnerable to the last two CVEs … That said this is deep just when you think you have it conquered. On Sep 30, 2014, at 16:25, Charles Swiger cswi...@mac.com wrote: On Sep 30, 2014, at 12:46 PM, Bryan Drewery bdrew...@freebsd.org wrote: [ ... ] I even saw a reddit post last night complaining that OSX had updated bash only to leave it still vulnerable because of the redir_stack issue. It doesn't seem to be? bash-3.2$ bash --version GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13) Copyright (C) 2007 Free Software Foundation, Inc. bash-3.2$ echo Testing Exploit 4 (CVE-2014-7186) Testing Exploit 4 (CVE-2014-7186) bash-3.2$ CVE7186=$(bash -c 'true EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF' 2/dev/null ||echo -n V) bash-3.2$ [ ${CVE7186} == V ] echo VULNERABLE || echo NOT VULNERABLE NOT VULNERABLE This being said, I'm not confident that there won't be further issues found with bash Regards, -- -Chuck ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org -- Jason Hellenthal Mobile: +1 (616) 953-0176 jhellent...@dataix.net JJH48-ARIN ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: bash velnerability
On 9/30/2014 5:25 PM, Charles Swiger wrote: bash-3.2$ echo Testing Exploit 4 (CVE-2014-7186) Testing Exploit 4 (CVE-2014-7186) bash-3.2$ CVE7186=$(bash -c 'true EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF' 2/dev/null ||echo -n V) bash-3.2$ [ ${CVE7186} == V ] echo VULNERABLE || echo NOT VULNERABLE NOT VULNERABLE This being said, I'm not confident that there won't be further issues found with bash What are people using to check these issues ? I was using https://github.com/hannob/bashcheck Not sure if that gives false positives ? Even on linux with all patches applied, it coredumps on 7186. Yet the BASH maintainer says all holes are patched ? Or does he consider 2014-7186 not a security issue ? http://lists.gnu.org/archive/html/bug-bash/2014-09/msg00341.html # bash ./bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) ./bashcheck: line 18: 19749 Segmentation fault (core dumped) bash -c true $(printf 'EOF %.0s' {1..79}) 2 /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser inactive, likely safe from unknown parser bugs # -- --- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: bash velnerability
On 2014-09-30 18:00:31 -0400, Mike Tancsa wrote: On 9/30/2014 5:25 PM, Charles Swiger wrote: bash-3.2$ echo Testing Exploit 4 (CVE-2014-7186) Testing Exploit 4 (CVE-2014-7186) bash-3.2$ CVE7186=$(bash -c 'true EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF' 2/dev/null ||echo -n V) bash-3.2$ [ ${CVE7186} == V ] echo VULNERABLE || echo NOT VULNERABLE NOT VULNERABLE This being said, I'm not confident that there won't be further issues found with bash What are people using to check these issues ? I was using https://github.com/hannob/bashcheck Not sure if that gives false positives ? ... Yes, it seems it does. https://github.com/hannob/bashcheck/commit/5b611b36 Jung-uk Kim ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: bash velnerability
On Sep 30, 2014, at 3:08 PM, Jung-uk Kim j...@freebsd.org wrote: On 2014-09-30 18:00:31 -0400, Mike Tancsa wrote: On 9/30/2014 5:25 PM, Charles Swiger wrote: bash-3.2$ echo Testing Exploit 4 (CVE-2014-7186) Testing Exploit 4 (CVE-2014-7186) bash-3.2$ CVE7186=$(bash -c 'true EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF' 2/dev/null ||echo -n V) bash-3.2$ [ ${CVE7186} == V ] echo VULNERABLE || echo NOT VULNERABLE NOT VULNERABLE This being said, I'm not confident that there won't be further issues found with bash What are people using to check these issues ? I was using https://github.com/hannob/bashcheck Not sure if that gives false positives ? ... Yes, it seems it does. https://github.com/hannob/bashcheck/commit/5b611b36 Jung-uk Kim Checking, and agreed. bash -c true $(printf 'EOF %.0s' {1..70}) 2/dev/null ...works OK, but this crashes with a SIGSEGV: bash -c true $(printf 'EOF %.0s' {1..80}) 2/dev/null Seems to be blowing out a ~84K malloc buffer located just above the __TEXT page for /bin/bash; it's not blowing out the stack directly and isn't affected by changing ulimit -s. Regards, -- -Chuck ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: bash velnerability
On 9/30/2014 1:54 PM, Jung-uk Kim wrote: On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote: On 9/29/2014 11:01 AM, Mike Tancsa wrote: On 9/26/2014 5:01 PM, Bryan Drewery wrote: On 9/26/2014 12:41 PM, Bryan Drewery wrote: On 9/26/2014 11:51 AM, Bryan Drewery wrote: On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: Apparently, the full fix is still not delivered, accordingly to this: http://seclists.org/oss-sec/2014/q3/741 Kind regards, Bartek Rutkowski I'm pretty sure they call that a feature. This is a bit different. I've disabled environment function importing in the port. Using --import-functions will allow it to work if you need it. Hi Bryan, With the latest ports, bashcheck still sees some issues with bash. Are these false positives on FreeBSD ? Using https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash -c true $(printf 'EOF %.0s' {1..79}) 2 /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser inactive, likely safe from unknown parser bugs ---Mike Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187. Applying the first patch for parse.y from the following post passed the tests for me. http://www.openwall.com/lists/oss-security/2014/09/25/32 In fact, all major Linux distros seem to use it now. FYI, Jung-uk Kim For some reason the redir_stack issue is not showing up at all for me on head without the patch. It does show up on an 8.4 system of mine without the patch though. I have applied it now to the port. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
On 9/26/2014 5:01 PM, Bryan Drewery wrote: On 9/26/2014 12:41 PM, Bryan Drewery wrote: On 9/26/2014 11:51 AM, Bryan Drewery wrote: On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: Apparently, the full fix is still not delivered, accordingly to this: http://seclists.org/oss-sec/2014/q3/741 Kind regards, Bartek Rutkowski I'm pretty sure they call that a feature. This is a bit different. I've disabled environment function importing in the port. Using --import-functions will allow it to work if you need it. Hi Bryan, With the latest ports, bashcheck still sees some issues with bash. Are these false positives on FreeBSD ? Using https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash -c true $(printf 'EOF %.0s' {1..79}) 2 /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser inactive, likely safe from unknown parser bugs ---Mike -- --- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: bash velnerability
On 9/29/2014 11:01 AM, Mike Tancsa wrote: On 9/26/2014 5:01 PM, Bryan Drewery wrote: On 9/26/2014 12:41 PM, Bryan Drewery wrote: On 9/26/2014 11:51 AM, Bryan Drewery wrote: On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: Apparently, the full fix is still not delivered, accordingly to this: http://seclists.org/oss-sec/2014/q3/741 Kind regards, Bartek Rutkowski I'm pretty sure they call that a feature. This is a bit different. I've disabled environment function importing in the port. Using --import-functions will allow it to work if you need it. Hi Bryan, With the latest ports, bashcheck still sees some issues with bash. Are these false positives on FreeBSD ? Using https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash -c true $(printf 'EOF %.0s' {1..79}) 2 /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser inactive, likely safe from unknown parser bugs ---Mike Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
Dear all, In case you urgently need to go the manual route, here is one way to really patch your systems: https://www.circl.lu/pub/tr-27/ Until the patch is in the bash upstream… (which it might be by now) Take care, -- Steve Clement CIRCL - Computer Incident Response Center Luxembourg Awareness raising, incident handling A: 41, Av. de la Gare L-1611 Luxembourg T: (352) 274 00 98 604 F: (352) 274 00 98 698 E: i...@circl.lu W: www.circl.lu On Sep 25, 2014, at 6:57 PM, Bryan Drewery bdrew...@freebsd.org wrote: The port is fixed with all known public exploits. The package is building currently. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: bash velnerability
On Thu, Sep 25, 2014 at 03:35:55PM -0400, Chris Nehren wrote: On Thu, Sep 25, 2014 at 11:57:38 -0500, Bryan Drewery wrote: 1. Do not ever link /bin/sh to bash. This is why it is such a big problem on Linux, as system(3) will run bash by default from CGI. I would think that this would cause other, more fundamental, issues. FreeBSD's system don't expect /bin/sh to be bash, and I wouldn't be surprised if they break for whatever reason. 2. Web/CGI users should have shell of /sbin/nologin. 3. Don't write CGI in shell script / Stop using CGI :) 4. httpd/CGId should never run as root, nor apache. Sandbox each application into its own user. And its own jail. Jails with ZFS are dirt cheap. For goodness of jail with ZFS we need fixing unionfs and devfs. ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: bash velnerability
On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery bdrew...@freebsd.org wrote: On 9/26/2014 2:36 AM, Steve Clement wrote: Dear all, In case you urgently need to go the manual route, here is one way to really patch your systems: https://www.circl.lu/pub/tr-27/ Until the patch is in the bash upstream… (which it might be by now) Take care, The port has had the fixes since yesterday. The packages are building. -- Regards, Bryan Drewery Apparently, the full fix is still not delivered, accordingly to this: http://seclists.org/oss-sec/2014/q3/741 Kind regards, Bartek Rutkowski ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
pkg repositories out of alignment (was: Re: bash velnerability)
Just a note that the pkg repo for 10 seems to be far advanced over that for 9.3. That is, the bash fix appeared in the 10 repo yesterday (or earlier), but it still not in the 9.3 repo. Here's what I'm seeing on a 9.3 box right now: # sudo pkg update Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. # sudo pkg audit bash-4.3.24 is vulnerable: bash -- remote code execution vulnerability CVE: CVE-2014-7169 CVE: CVE-2014-6271 WWW: http://portaudit.FreeBSD.org/71ad81da-4414-11e4-a33e-3c970e169bc2.html 1 problem(s) in the installed packages found. # sudo pkg upgrade bash Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. Checking integrity... done (0 conflicting) Your packages are up to date. I appreciate the speed that folks update the packages; I'm a bit distressed that 9.3 seems to be a second-class citizen for security fixes. (And I totally admit that I could be misreading the situation.) --Paul Hoffman ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: pkg repositories out of alignment (was: Re: bash velnerability)
On Fri, Sep 26, 2014, at 10:25, Paul Hoffman wrote: I appreciate the speed that folks update the packages; I'm a bit distressed that 9.3 seems to be a second-class citizen for security fixes. (And I totally admit that I could be misreading the situation.) (speaking strictly as a consumer of the pkg repository) I am not aware of any other packages with security vulnerabilities that have been updated on the repository outside of the planned once-a-week schedule. This means if the package set is built and published and immediately thereafter a vulnerability comes out for www/chromium, don't expect to see the update until next week. There is a desire to solve this problem and it is not simple solution. Keep in mind that the ports tree existed for 20 years now expecting people to consume it from source, not from packages. I've witnessed the ports team and ports-mgmt/pkg authors perform miracles over the last 2 years and they have further plans to modernize the architecture. FYI, the repositories are built sequentially and I don't think there's a preference of a certain release over another. They're working hard to get these updated packages out the door as fast as possible. ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: bash velnerability
On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery bdrew...@freebsd.org wrote: On 9/26/2014 2:36 AM, Steve Clement wrote: Dear all, In case you urgently need to go the manual route, here is one way to really patch your systems: https://www.circl.lu/pub/tr-27/ Until the patch is in the bash upstream… (which it might be by now) Take care, The port has had the fixes since yesterday. The packages are building. -- Regards, Bryan Drewery Apparently, the full fix is still not delivered, accordingly to this: http://seclists.org/oss-sec/2014/q3/741 Kind regards, Bartek Rutkowski I'm pretty sure they call that a feature. This is a bit different. This is modifying the command used to call a function as the feature intends. The vulnerability was that just parsing the environment would execute the code. TL;DR; You should cleanse your environment and only accept valid input to work around this feature. The bash developer (Chet) said he would not remove it by default, at least a few days ago. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
On 9/26/2014 2:36 AM, Steve Clement wrote: Dear all, In case you urgently need to go the manual route, here is one way to really patch your systems: https://www.circl.lu/pub/tr-27/ Until the patch is in the bash upstream… (which it might be by now) Take care, The port has had the fixes since yesterday. The packages are building. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
On 9/26/2014 11:51 AM, Bryan Drewery wrote: On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery bdrew...@freebsd.org wrote: On 9/26/2014 2:36 AM, Steve Clement wrote: Dear all, In case you urgently need to go the manual route, here is one way to really patch your systems: https://www.circl.lu/pub/tr-27/ Until the patch is in the bash upstream… (which it might be by now) Take care, The port has had the fixes since yesterday. The packages are building. -- Regards, Bryan Drewery Apparently, the full fix is still not delivered, accordingly to this: http://seclists.org/oss-sec/2014/q3/741 Kind regards, Bartek Rutkowski I'm pretty sure they call that a feature. This is a bit different. This is modifying the command used to call a function as the feature intends. The vulnerability was that just parsing the environment would execute the code. TL;DR; You should cleanse your environment and only accept valid input to work around this feature. The bash developer (Chet) said he would not remove it by default, at least a few days ago. There is more discussion here http://seclists.org/oss-sec/2014/q3/746 Anyway I still think this is not anything to panic about. However I am making the decision to disable this feature entirely in our bash port by default. I will use christos@NetBSD's patch to add a --import-functions flag to bash. The port will allow selecting the default at build time. Ours will have it disabled. I have no idea what the impact is on this but it is the safest route for now; scripts passing functions in environment is crazy. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
On 9/26/2014 12:41 PM, Bryan Drewery wrote: On 9/26/2014 11:51 AM, Bryan Drewery wrote: On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: Apparently, the full fix is still not delivered, accordingly to this: http://seclists.org/oss-sec/2014/q3/741 Kind regards, Bartek Rutkowski I'm pretty sure they call that a feature. This is a bit different. I've disabled environment function importing in the port. Using --import-functions will allow it to work if you need it. https://svnweb.freebsd.org/changeset/ports/369341 -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
On 9/25/2014 11:13 AM, Jung-uk Kim wrote: On 2014-09-25 02:54:06 -0400, Koichiro Iwao wrote: Please let me make corrections. The shellshock bash vulnerabilities are described by 2 CVEs. - CVE-2014-6271 - CVE-2014-7169 The first CVE is already fixed in latest freebsd ports tree (r369185), so far the second CVE is not fixed yet. CVE-2014-7169 is fixed now (r369261). http://svnweb.freebsd.org/changeset/ports/369261 Note the commit log says CVE-2014-3659 but it was actually reassigned as CVE-2014-7169. Jung-uk Kim The port is fixed with all known public exploits. The package is building currently. However bash still allows the crazy exporting of functions and may still have other parser bugs. I would recommend for the immediate future not using bash for forced ssh commands as well as these guidelines: 1. Do not ever link /bin/sh to bash. This is why it is such a big problem on Linux, as system(3) will run bash by default from CGI. 2. Web/CGI users should have shell of /sbin/nologin. 3. Don't write CGI in shell script / Stop using CGI :) 4. httpd/CGId should never run as root, nor apache. Sandbox each application into its own user. 5. Custom restrictive shells, like scponly, should not be written in bash. 6. SSH authorized_keys/sshd_config forced commands should also not be written in bash. Cheers, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: bash velnerability
On Thu, Sep 25, 2014 at 11:57:38 -0500, Bryan Drewery wrote: 1. Do not ever link /bin/sh to bash. This is why it is such a big problem on Linux, as system(3) will run bash by default from CGI. I would think that this would cause other, more fundamental, issues. FreeBSD's system don't expect /bin/sh to be bash, and I wouldn't be surprised if they break for whatever reason. 2. Web/CGI users should have shell of /sbin/nologin. 3. Don't write CGI in shell script / Stop using CGI :) 4. httpd/CGId should never run as root, nor apache. Sandbox each application into its own user. And its own jail. Jails with ZFS are dirt cheap. -- Chris Nehren pgp_th8N350zW.pgp Description: PGP signature