Bash Security « SliTaz Forum

SliTaz Forum » English Support » Packages

Bash Security

(9 posts) (4 voices)

Started 10 years ago by hackdorte
Latest reply from sixofeight
This topic is not a support question

Tags:

No tags yet.

hackdorte

offline
Member

Hi. I have a question.

The Bash package for slitaz 4 already has the security patch?

Or we have to apply them manually?

Posted 10 years ago #
sixofeight

offline
Member

Well,I'm still using Slitaz4 with the ash-shell which seems not to be affected.
For bash the headlines state everything through 4.3 is affected.
Try this commands and you will see:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

test="() { echo Hello; }; echo gehackt" bash -c ""

good luck.

Posted 10 years ago #
Bellard

offline
Key Master

See http://hg.slitaz.org/wok-stable/rev/853a028198ee

tux@slitaz:~$ cat /etc/slitaz-release
4.0
tux@slitaz:~$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
tux@slitaz:~$ test="() { echo Hello; }; echo gehackt" bash -c ""
bash: warning: test: ignoring function definition attempt
bash: error importing function definition for `test'

Posted 10 years ago #
hackdorte

offline
Member

@sixofeight, @Bellard

I depend on the bash to run some programs in the system.

I did the tests and everything works perfectly.

Thanks for all replies.

Posted 10 years ago #
sixofeight

offline
Member

Here is a script that claims to test bash for all so far known vulnerabilities.
It checks against 6 public vulnerabilities.
https://github.com/hannob/bashcheck

Posted 10 years ago #
gibor

offline
Moderator

There is my result

Testing /bin/bash ...
GNU bash, versione 4.3.30(3)-release (i686-pc-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)

and this is pack http://www.freefilehosting.net/bash-43
warning, work for me, but the receipt is not complete.

Posted 10 years ago #
sixofeight

offline
Member

I installed bash (slitaz 4), using SliTaz-Panel,like an average Joe would do it.
Test results:

root@slitaz:/home/tux# ./bashcheck
Testing /bin/bash ...
GNU bash, version 4.2.0(2)-release (i486-slitaz-linux-gnu)

Variable function parser active, maybe vulnerable to unknown parser bugs
Not vulnerable to CVE-2014-6271 (original shellshock)
Vulnerable to CVE-2014-7169 (taviso bug)
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)

..oops...

Posted 10 years ago #
Bellard

offline
Key Master

Try this:
# tazpkg recharge
# tazpkg get-install bash

See the bottom of http://cook.slitaz.org/stable/cooker.cgi?pkg=bash

Testing /home/slitaz/wok/bash/install/bin/bash ...
GNU bash, version 4.2.53(2)-release (i486-slitaz-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)

Posted 10 years ago #
sixofeight

offline
Member

Hi Bellard
Yup, Patch.level-53 = Problems solved...
and no segfaults anymore in /var/log/messages...
well done....thanks a lot..

Slitaz 4 User...updating..NOW...;-)

Posted 10 years ago #

RSS feed for this topic

Reply

You must log in to post.