Instalei a ultima versão com o patch salvador do Florian Weimer e:
root@host:/tmp# bash --version
GNU bash, version 4.2.50(2)-release (x86_64-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html
>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
root@host:/tmp# ./bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18: 15852 Segmentation fault bash -c "true $(printf
'<<EOF %.0s' {1..79})" 2> /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bug
Me preocupa especificamente esse Segfault ai
Sep 29 18:42:04 host kernel: [5969481.075841] bash[15818]: segfault at
4c5c450 ip 00000000004245c3 sp 00007fff49154740 error 4 in
bash[400000+e4000]
Ja vi que o lcamtuf chegou em:
bash[3054]: segfault at 41414141 ip 00190d96 ...
Chora.
On Mon, Sep 29, 2014 at 6:34 PM, Max Miorim <[email protected]> wrote:
> Ah, isto aqui também é util: https://github.com/hannob/bashcheck
>
> É um shell script que diz quais das vulnerabilidades afetam a versão que
> tem instalado.
>
> On Mon, Sep 29, 2014 at 6:32 PM, Max Miorim <[email protected]> wrote:
>
>> Alguém ai já tentou usar o Slackware sem o bash ou pelo menos sem o bash
>> como /bin/sh?
>>
>> Eu sei que o Debian e os BSDs usam outros shells como /bin/sh (dash, ash,
>> ksh, pd-ksh e etc.) e lembro que quando eu tentei fazer isso, tive
>> problemas com a inicialização no Slackware (as arrays são coisas
>> específicas do bash, não é POSIX sh e algumas coisas como a configuração de
>> rede dependem disso).
>>
>> On Mon, Sep 29, 2014 at 6:27 PM, J. Tozo <[email protected]> wrote:
>>
>>> Voltem das colinas!
>>>
>>> Mas não por muito tempo
>>>
>>> https://twitter.com/lcamtuf/status/516297412579581952
>>>
>>> [image: tumblr_mml9mp9wCx1s9x8i6o1_400.gif (280×300)]
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: Slackware Security Team <[email protected]>
>>> Date: Mon, Sep 29, 2014 at 4:33 PM
>>> Subject: [slackware-security] bash (SSA:2014-272-01)
>>> To: [email protected]
>>>
>>>
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> [slackware-security] bash (SSA:2014-272-01)
>>>
>>> New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0,
>>> 14.1,
>>> and -current to fix a security issue.
>>>
>>>
>>> Here are the details from the Slackware 14.1 ChangeLog:
>>> +--------------------------+
>>> patches/packages/bash-4.2.050-i486-1_slack14.1.txz: Upgraded.
>>> Another bash update. Here's some information included with the patch:
>>> "This patch changes the encoding bash uses for exported functions to
>>> avoid
>>> clashes with shell variables and to avoid depending only on an
>>> environment
>>> variable's contents to determine whether or not to interpret it as a
>>> shell
>>> function."
>>> After this update, an environment variable will not go through the
>>> parser
>>> unless it follows this naming structure: BASH_FUNC_*%%
>>> Most scripts never expected to import functions from environment
>>> variables,
>>> so this change (although not backwards compatible) is not likely to
>>> break
>>> many existing scripts. It will, however, close off access to the
>>> parser as
>>> an attack surface in the vast majority of cases. There's already
>>> another
>>> vulnerability similar to CVE-2014-6271 for which there is not yet a
>>> fix,
>>> but this hardening patch prevents it (and likely many more similar
>>> ones).
>>> Thanks to Florian Weimer and Chet Ramey.
>>> (* Security fix *)
>>> +--------------------------+
>>>
>>>
>>> Where to find the new packages:
>>> +-----------------------------+
>>>
>>> Thanks to the friendly folks at the OSU Open Source Lab
>>> (http://osuosl.org) for donating FTP and rsync hosting
>>> to the Slackware project! :-)
>>>
>>> Also see the "Get Slack" section on http://slackware.com for
>>> additional mirror sites near you.
>>>
>>> Updated package for Slackware 13.0:
>>>
>>> ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/bash-3.1.020-i486-1_slack13.0.txz
>>>
>>> Updated package for Slackware x86_64 13.0:
>>>
>>> ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/bash-3.1.020-x86_64-1_slack13.0.txz
>>>
>>> Updated package for Slackware 13.1:
>>>
>>> ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bash-4.1.014-i486-1_slack13.1.txz
>>>
>>> Updated package for Slackware x86_64 13.1:
>>>
>>> ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/bash-4.1.014-x86_64-1_slack13.1.txz
>>>
>>> Updated package for Slackware 13.37:
>>>
>>> ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/bash-4.1.014-i486-1_slack13.37.txz
>>>
>>> Updated package for Slackware x86_64 13.37:
>>>
>>> ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/bash-4.1.014-x86_64-1_slack13.37.txz
>>>
>>> Updated package for Slackware 14.0:
>>>
>>> ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bash-4.2.050-i486-1_slack14.0.txz
>>>
>>> Updated package for Slackware x86_64 14.0:
>>>
>>> ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bash-4.2.050-x86_64-1_slack14.0.txz
>>>
>>> Updated package for Slackware 14.1:
>>>
>>> ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/bash-4.2.050-i486-1_slack14.1.txz
>>>
>>> Updated package for Slackware x86_64 14.1:
>>>
>>> ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/bash-4.2.050-x86_64-1_slack14.1.txz
>>>
>>> Updated package for Slackware -current:
>>>
>>> ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/bash-4.3.027-i486-1.txz
>>>
>>> Updated package for Slackware x86_64 -current:
>>>
>>> ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/bash-4.3.027-x86_64-1.txz
>>>
>>>
>>> MD5 signatures:
>>> +-------------+
>>>
>>> Slackware 13.0 package:
>>> 8b5f50012f3c7b18474d7cf19f2be2bb bash-3.1.020-i486-1_slack13.0.txz
>>>
>>> Slackware x86_64 13.0 package:
>>> 3cbe8607bf2209e694320f6416f1cd04 bash-3.1.020-x86_64-1_slack13.0.txz
>>>
>>> Slackware 13.1 package:
>>> c674f9b681c144c32aba0923303d789b bash-4.1.014-i486-1_slack13.1.txz
>>>
>>> Slackware x86_64 13.1 package:
>>> 223fc7505cd2dedd99b79d7f510e749c bash-4.1.014-x86_64-1_slack13.1.txz
>>>
>>> Slackware 13.37 package:
>>> 4b4e4df9e4e949637a641a94aab35765 bash-4.1.014-i486-1_slack13.37.txz
>>>
>>> Slackware x86_64 13.37 package:
>>> 35f35367efd279d2001de989f366b972 bash-4.1.014-x86_64-1_slack13.37.txz
>>>
>>> Slackware 14.0 package:
>>> 19cb9e04683c9020417490047f20b40d bash-4.2.050-i486-1_slack14.0.txz
>>>
>>> Slackware x86_64 14.0 package:
>>> 10bc930d1dd85cf3446f454b129e2bc7 bash-4.2.050-x86_64-1_slack14.0.txz
>>>
>>> Slackware 14.1 package:
>>> 1d1f8137b674813bf7f070b66ad713b1 bash-4.2.050-i486-1_slack14.1.txz
>>>
>>> Slackware x86_64 14.1 package:
>>> e80cc985c6112aea20d0ba0eb2821d03 bash-4.2.050-x86_64-1_slack14.1.txz
>>>
>>> Slackware -current package:
>>> 175685f32cfa87da1c9d7cdfb42786c5 a/bash-4.3.027-i486-1.txz
>>>
>>> Slackware x86_64 -current package:
>>> 34a83642b058fa40e6f441c6161e2208 a/bash-4.3.027-x86_64-1.txz
>>>
>>>
>>> Installation instructions:
>>> +------------------------+
>>>
>>> Upgrade the package as root:
>>> # upgradepkg bash-4.2.050-i486-1_slack14.1.txz
>>>
>>>
>>> +-----+
>>>
>>> Slackware Linux Security Team
>>> http://slackware.com/gpg-key
>>> [email protected]
>>>
>>>
>>> +------------------------------------------------------------------------+
>>> | To leave the slackware-security mailing list:
>>> |
>>>
>>> +------------------------------------------------------------------------+
>>> | Send an email to [email protected] with this text in the body
>>> of |
>>> | the email message:
>>> |
>>> |
>>> |
>>> | unsubscribe slackware-security
>>> |
>>> |
>>> |
>>> | You will get a confirmation message back containing instructions to
>>> |
>>> | complete the process. Please do not reply to this email address.
>>> |
>>>
>>> +------------------------------------------------------------------------+
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1
>>>
>>> iEYEARECAAYFAlQpqCoACgkQakRjwEAQIjPD0QCfSmNXkeHavRJjRtENMC13Rtx6
>>> DsYAn1fsM+SOgqVuB7URSJtSKrmtPvr8
>>> =Xi8W
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>>
>>> --
>>> Grato,
>>>
>>> Tozo
>>>
>>> --
>>> GUS-BR - Grupo de Usuários de Slackware Brasil
>>> http://www.slackwarebrasil.org/
>>> http://groups.google.com/group/slack-users-br
>>>
>>> Antes de perguntar:
>>>
>>> http://www.vivaolinux.com.br/artigo/Como-elaborar-perguntas-para-listas-de-discussao
>>>
>>> Para sair da lista envie um e-mail para:
>>> [email protected]
>>> ---
>>> Você recebeu essa mensagem porque está inscrito no grupo "Slackware
>>> Users Group - Brazil" dos Grupos do Google.
>>> Para cancelar inscrição nesse grupo e parar de receber e-mails dele,
>>> envie um e-mail para [email protected].
>>> Para mais opções, acesse https://groups.google.com/d/optout.
>>>
>>
>>
> --
> GUS-BR - Grupo de Usuários de Slackware Brasil
> http://www.slackwarebrasil.org/
> http://groups.google.com/group/slack-users-br
>
> Antes de perguntar:
>
> http://www.vivaolinux.com.br/artigo/Como-elaborar-perguntas-para-listas-de-discussao
>
> Para sair da lista envie um e-mail para:
> [email protected]
> ---
> Você recebeu essa mensagem porque está inscrito no grupo "Slackware Users
> Group - Brazil" dos Grupos do Google.
> Para cancelar inscrição nesse grupo e parar de receber e-mails dele, envie
> um e-mail para [email protected].
> Para mais opções, acesse https://groups.google.com/d/optout.
>
--
Grato,
Tozo
--
GUS-BR - Grupo de Usuários de Slackware Brasil
http://www.slackwarebrasil.org/
http://groups.google.com/group/slack-users-br
Antes de perguntar:
http://www.vivaolinux.com.br/artigo/Como-elaborar-perguntas-para-listas-de-discussao
Para sair da lista envie um e-mail para:
[email protected]
---
Você está recebendo esta mensagem porque se inscreveu no grupo "Slackware Users
Group - Brazil" dos Grupos do Google.
Para cancelar inscrição nesse grupo e parar de receber e-mails dele, envie um
e-mail para [email protected].
Para obter mais opções, acesse https://groups.google.com/d/optout.
