BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>
- rg66
- Posts: 1158
- Joined: Mon 23 Jul 2012, 05:53
- Location: Vancouver, BC Canada / Entebbe, Uganda Africa!?!
Geoffrey and I came up with an auto patching script. It downloads the source, the patches, and compiles it. It requires yad which most puppies have except slacko, but it's in the repo.
Remove the fake .gz extension and make sure it's executable.
The devx.sfs must be loaded to compile
Edit: Updated to v1.1
Remove the fake .gz extension and make sure it's executable.
The devx.sfs must be loaded to compile
Edit: Updated to v1.1
- Attachments
-
- bash_patcher-1.1.gz
- Remove fake .gz extension
- (1.52 KiB) Downloaded 289 times
Last edited by rg66 on Sat 04 Oct 2014, 05:26, edited 3 times in total.
X-slacko-5b1 - X-tahr-2.0 - X-precise-2.4
[url=http://smokey01.com/rg66/]X-series repo[/url]
[url=http://smokey01.com/rg66/]X-series repo[/url]
Bash updated again pets are here http://www.murga-linux.com/puppy/viewto ... 669#801669
Bash-Release: 4.3
Patch-ID: bash43-029
Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
Bug-Reference-ID:
Bug-Reference-URL:
Bug-Description:
When bash is parsing a function definition that contains a here-document
delimited by end-of-file (or end-of-string), it leaves the closing delimiter
uninitialized. This can result in an invalid memory access when the parsed
function is later copied.
[b]Carolina:[/b] [url=http://smokey01.com/carolina/pages/recent-repo.html]Recent Repository Additions[/url]
[img]https://dl.dropboxusercontent.com/s/ahfade8q4def1lq/signbot.gif[/img]
[img]https://dl.dropboxusercontent.com/s/ahfade8q4def1lq/signbot.gif[/img]
rg66 and Geoffrey,rg66 wrote:Geoffrey and I came up with an auto patching script. It downloads the source, the patches, and compiles it. It requires yad which most puppies have except slacko, but it's in the repo.
Can you please, make a simpler version of the autopatching script - a purely text based compiling script, similar to slackbuilds, iguleder's, or Tman's scripts?
Thank you in advance.
mavrothal wrote:However, now that the "function" worm of cans is opened I would not be surprised if 21 and 22 are around the corner.
bash-3.0.21.
Passes all tests
== [url=http://www.catb.org/esr/faqs/smart-questions.html]Here is how to solve your[/url] [url=https://www.chiark.greenend.org.uk/~sgtatham/bugs.html]Linux problems fast[/url] ==
- rg66
- Posts: 1158
- Joined: Mon 23 Jul 2012, 05:53
- Location: Vancouver, BC Canada / Entebbe, Uganda Africa!?!
Sure, double click (or single depending on desktop settings) to run in terminal. The working directory is where the script is run from.anikin wrote:Can you please, make a simpler version of the autopatching script - a purely text based compiling script, similar to slackbuilds, iguleder's, or Tman's scripts?
Thank you in advance.
The devx.sfs must be loaded to compile
Edit: Updated to v1.1
- Attachments
-
- bash_patcher_cli-1.1.gz
- (1.77 KiB) Downloaded 593 times
-
- bash_patcher.png
- Remove fake .gz extension
- (38.78 KiB) Downloaded 755 times
Last edited by rg66 on Sat 04 Oct 2014, 05:29, edited 3 times in total.
X-slacko-5b1 - X-tahr-2.0 - X-precise-2.4
[url=http://smokey01.com/rg66/]X-series repo[/url]
[url=http://smokey01.com/rg66/]X-series repo[/url]
Your 3.0.20 still passes:
Code: Select all
curl --insecure https://shellshocker.net/shellshock_test.sh | bash
Thanks!
I won't be able to do any compiling for a few days as I'm oft to the countryside, I'll mirror new pets when I'm back
puppy.b0x.me stuff mirrored [url=https://drive.google.com/open?id=0B_Mb589v0iCXNnhSZWRwd3R2UWs]HERE[/url] or [url=http://archive.org/details/Puppy_Linux_puppy.b0x.me_mirror]HERE[/url]
-
- Posts: 503
- Joined: Mon 09 Sep 2013, 00:00
- Location: Florida, USA
- Contact:
mirroring
My list of mirrors for the latest bash packages:
http://version2013.yolasite.com/page1.php#bash
http://version2013.yolasite.com/page1.php#bash
Slacko 5.9.3 ...... latest bash from Slackware.
Code: Select all
# bash --version
GNU bash, version 4.2.50(2)-release (i486-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2194 100 2194 0 0 4223 0 --:--:-- --:--:-- --:--:-- 4310
CVE-2014-6271 (original shellshock): not vulnerable
bash: shellshocker: command not found
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
bash: line 49: 14617 Segmentation fault bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2> /dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
CVE-2014-7187 (nested loops off by one): not vulnerable
#
- rg66
- Posts: 1158
- Joined: Mon 23 Jul 2012, 05:53
- Location: Vancouver, BC Canada / Entebbe, Uganda Africa!?!
Batch Patcher command line has been updated to v1.1. Double click (or single depending on desktop settings) to run in terminal.
http://murga-linux.com/puppy/viewtopic. ... 875#801875
http://murga-linux.com/puppy/viewtopic. ... 875#801875
- Attachments
-
- bash_patcher.png
- (38.78 KiB) Downloaded 1887 times
X-slacko-5b1 - X-tahr-2.0 - X-precise-2.4
[url=http://smokey01.com/rg66/]X-series repo[/url]
[url=http://smokey01.com/rg66/]X-series repo[/url]
I've got a small, mostly unattended web server running on Puppy 4.31 on a thin client. I can temporarily connect a monitor and install the patched bash by clicking on them and running pet-get in the gui. It would be more convenient if I could install the pet from CLI in an ssh session, possibly incorporating the Batch Patcher in this process.
As far as I've seen looking around google is that it can be done; there are scripts that seem to extract the pet and run a script within, but, iianm, some aspects of the Puppy package management system are lost when going this route.
Is there CLI package management for Puppy 4.31 that takes care of package/file tracking, upgrading, removing, etc. features that are provided by the gui package manager?
Thanks.
As far as I've seen looking around google is that it can be done; there are scripts that seem to extract the pet and run a script within, but, iianm, some aspects of the Puppy package management system are lost when going this route.
Is there CLI package management for Puppy 4.31 that takes care of package/file tracking, upgrading, removing, etc. features that are provided by the gui package manager?
Thanks.
There is 'Pkg' - my package manager in Akita and Puppy Arcade.. It has a very extensive CLI interface, the only thing that would need changing is how it reads and writes to repo files.. Or maybe you could steal some functions from it... It's in the Akita thread..rolf wrote: Is there CLI package management for Puppy 4.31 that takes care of package/file tracking, upgrading, removing, etc. features that are provided by the gui package manager?
Thanks.
[b][url=https://bit.ly/2KjtxoD]Pkg[/url], [url=https://bit.ly/2U6dzxV]mdsh[/url], [url=https://bit.ly/2G49OE8]Woofy[/url], [url=http://goo.gl/bzBU1]Akita[/url], [url=http://goo.gl/SO5ug]VLC-GTK[/url], [url=https://tiny.cc/c2hnfz]Search[/url][/b]
Yes. I tried 0.9.5 but it got stuck in a loop about the missing repo files. 0.9.0 gives me thesc0ttman wrote:There is 'Pkg' - my package manager in Akita and Puppy Arcade.. It has a very extensive CLI interface, the only thing that would need changing is how it reads and writes to repo files.. Or maybe you could steal some functions from it... It's in the Akita thread..
Code: Select all
Usage: pkg [OPTION(S)]
Thanks.
p.s. I found that, after uninstalling the series of patched bash from this thread with ppm, I was left with the old, vulnerable binary. That gave me a chance to try pkg and it seemed to work:
Code: Select all
# pkg -i patched_bash/bash-3.0.21-i486.pet
cat: /root/.packages/alienpackages.txt: No such file or directory
cat: /root/.packages/livepackages5a.txt: No such file or directory
Install the package: bash-3.0.21-i486? (y/n):
ycat: /root/.packages/livepackages5a.txt: No such file or directory
cat: /root/.packages/livepackages5a.txt: No such file or directory
cat: /root/.packages/alienpackages.txt: No such file or directory
cat: /root/.packages/livepackages5a.txt: No such file or directory
Package 'bash-3.0.21-i486' installed.
# y
-sh: y: command not found
# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
101 2533 101 2533 0 0 658 0 0:00:03 0:00:03 --:--:-- 680
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
# bash -version
GNU bash, version 3.00.21(1)-release (i486-pc-linux-gnu�)
Copyright (C) 2004 Free Software Foundation, Inc.
I got this script and devx_431.sfs on my Puppy 4.3.1rg66 wrote:Batch Patcher command line has been updated to v1.1.
With
- cpu MHz : 300.632
and - MemTotal: 250352 kB
The binary it produced is a little smaller than the one from mavrothal's 3.0.21 pet, which I'll stay with.
Code: Select all
# ls bash-3.0.21/bin -l
total 631
-rwxr-xr-x 1 root root 641708 2014-10-04 12:04 bash
# ls `which bash` -l
-rwxr-xr-x 1 root root 660100 2014-10-03 07:28 /bin/bash
Bash updated to version 4.3.30
http://www.murga-linux.com/puppy/viewto ... 669#801669
http://www.murga-linux.com/puppy/viewto ... 669#801669
[b]Carolina:[/b] [url=http://smokey01.com/carolina/pages/recent-repo.html]Recent Repository Additions[/url]
[img]https://dl.dropboxusercontent.com/s/ahfade8q4def1lq/signbot.gif[/img]
[img]https://dl.dropboxusercontent.com/s/ahfade8q4def1lq/signbot.gif[/img]
Bash-3.0.22.
Passes all tests.
Keep in mind that although older versions may not be vulnerable to given exploits, newer versions have better solutions for the given problems (till the next version of course... )
Passes all tests.
Keep in mind that although older versions may not be vulnerable to given exploits, newer versions have better solutions for the given problems (till the next version of course... )
== [url=http://www.catb.org/esr/faqs/smart-questions.html]Here is how to solve your[/url] [url=https://www.chiark.greenend.org.uk/~sgtatham/bugs.html]Linux problems fast[/url] ==
Mirrored, added and updated links to latest bash pets here:
http://www.murga-linux.com/puppy/viewto ... 075#801075
http://www.murga-linux.com/puppy/viewto ... 075#801075
puppy.b0x.me stuff mirrored [url=https://drive.google.com/open?id=0B_Mb589v0iCXNnhSZWRwd3R2UWs]HERE[/url] or [url=http://archive.org/details/Puppy_Linux_puppy.b0x.me_mirror]HERE[/url]