BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>

Message

rg66 · #141 Post by **rg66** » Fri 03 Oct 2014, 09:49

Geoffrey and I came up with an auto patching script. It downloads the source, the patches, and compiles it. It requires yad which most puppies have except slacko, but it's in the repo.

Remove the fake .gz extension and make sure it's executable.

The devx.sfs must be loaded to compile

Edit: Updated to v1.1

Geoffrey · #142 Post by **Geoffrey** » Fri 03 Oct 2014, 10:50

Bash updated again pets are here http://www.murga-linux.com/puppy/viewto ... 669#801669

Bash-Release: 4.3
Patch-ID: bash43-029

Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
Bug-Reference-ID:
Bug-Reference-URL:

Bug-Description:

When bash is parsing a function definition that contains a here-document
delimited by end-of-file (or end-of-string), it leaves the closing delimiter
uninitialized. This can result in an invalid memory access when the parsed
function is later copied.

anikin · #143 Post by **anikin** » Fri 03 Oct 2014, 11:55

rg66 wrote:Geoffrey and I came up with an auto patching script. It downloads the source, the patches, and compiles it. It requires yad which most puppies have except slacko, but it's in the repo.

rg66 and Geoffrey,

Can you please, make a simpler version of the autopatching script - a purely text based compiling script, similar to slackbuilds, iguleder's, or Tman's scripts?

Thank you in advance.

mavrothal · #144 Post by **mavrothal** » Fri 03 Oct 2014, 12:37

mavrothal wrote:However, now that the "function" worm of cans is opened I would not be surprised if 21 and 22 are around the corner.

bash-3.0.21.

Passes all tests

rg66 · #145 Post by **rg66** » Fri 03 Oct 2014, 15:04

anikin wrote:Can you please, make a simpler version of the autopatching script - a purely text based compiling script, similar to slackbuilds, iguleder's, or Tman's scripts?

Thank you in advance.

Sure, double click (or single depending on desktop settings) to run in terminal. The working directory is where the script is run from.

The devx.sfs must be loaded to compile

Edit: Updated to v1.1

rolf · #146 Post by **rolf** » Fri 03 Oct 2014, 15:19

mavrothal wrote:bash-3.0.21.

Passes all tests

Your 3.0.20 still passes:

Code: Select all

curl --insecure https://shellshocker.net/shellshock_test.sh | bash

There are others?

Thanks!

dejan555 · #147 Post by **dejan555** » Fri 03 Oct 2014, 16:59

I won't be able to do any compiling for a few days as I'm oft to the countryside, I'll mirror new pets when I'm back

lost3.1 · #148 Post by **lost3.1** » Sat 04 Oct 2014, 00:05

GNU bash, version 4.3.29(1)-release (i686-pc-linux-gnu)

Precise Puppy version 5.7.1, released Aug 2013

Passed

version2013 · #149 Post by **version2013** » Sat 04 Oct 2014, 00:18

My list of mirrors for the latest bash packages:
http://version2013.yolasite.com/page1.php#bash

James C · #150 Post by **James C** » Sat 04 Oct 2014, 03:17

Slacko 5.9.3 ...... latest bash from Slackware.

Code: Select all


# bash --version
GNU bash, version 4.2.50(2)-release (i486-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2194  100  2194    0     0   4223      0 --:--:-- --:--:-- --:--:--  4310
CVE-2014-6271 (original shellshock): not vulnerable
bash: shellshocker: command not found
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
bash: line 49: 14617 Segmentation fault      bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2> /dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
CVE-2014-7187 (nested loops off by one): not vulnerable
#

rg66 · #151 Post by **rg66** » Sat 04 Oct 2014, 04:50

Batch Patcher command line has been updated to v1.1. Double click (or single depending on desktop settings) to run in terminal.

http://murga-linux.com/puppy/viewtopic. ... 875#801875

rolf · #152 Post by **rolf** » Sat 04 Oct 2014, 12:32

I've got a small, mostly unattended web server running on Puppy 4.31 on a thin client. I can temporarily connect a monitor and install the patched bash by clicking on them and running pet-get in the gui. It would be more convenient if I could install the pet from CLI in an ssh session, possibly incorporating the Batch Patcher in this process.

As far as I've seen looking around google is that it can be done; there are scripts that seem to extract the pet and run a script within, but, iianm, some aspects of the Puppy package management system are lost when going this route.

Is there CLI package management for Puppy 4.31 that takes care of package/file tracking, upgrading, removing, etc. features that are provided by the gui package manager?
Thanks.

sc0ttman · #153 Post by **sc0ttman** » Sat 04 Oct 2014, 17:12

rolf wrote: Is there CLI package management for Puppy 4.31 that takes care of package/file tracking, upgrading, removing, etc. features that are provided by the gui package manager?
Thanks.

There is 'Pkg' - my package manager in Akita and Puppy Arcade.. It has a very extensive CLI interface, the only thing that would need changing is how it reads and writes to repo files.. Or maybe you could steal some functions from it... It's in the Akita thread..

Leon · #154 Post by **Leon** » Sat 04 Oct 2014, 18:10

rg66 wrote:Batch Patcher command line has been updated to v1.1.

bash_patcher_cli-1.1.gz

Works like a charm.

Thank you, rg66.

rolf · #155 Post by **rolf** » Sat 04 Oct 2014, 22:33

sc0ttman wrote:There is 'Pkg' - my package manager in Akita and Puppy Arcade.. It has a very extensive CLI interface, the only thing that would need changing is how it reads and writes to repo files.. Or maybe you could steal some functions from it... It's in the Akita thread..

Yes. I tried 0.9.5 but it got stuck in a loop about the missing repo files. 0.9.0 gives me the

Code: Select all

Usage: pkg [OPTION(S)]

info, at least, and I'll try it when I get another pet that needs installing.
Thanks.

p.s. I found that, after uninstalling the series of patched bash from this thread with ppm, I was left with the old, vulnerable binary. That gave me a chance to try pkg and it seemed to work:

Code: Select all

# pkg -i patched_bash/bash-3.0.21-i486.pet 
cat: /root/.packages/alienpackages.txt: No such file or directory
cat: /root/.packages/livepackages5a.txt: No such file or directory
Install the package: bash-3.0.21-i486?  (y/n):  
ycat: /root/.packages/livepackages5a.txt: No such file or directory

cat: /root/.packages/livepackages5a.txt: No such file or directory
cat: /root/.packages/alienpackages.txt: No such file or directory
cat: /root/.packages/livepackages5a.txt: No such file or directory
Package 'bash-3.0.21-i486' installed.
# y
-sh: y: command not found
# curl --insecure https://shellshocker.net/shellshock_test.sh | bash 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
101  2533  101  2533    0     0    658      0  0:00:03  0:00:03 --:--:--   680
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
# bash -version
GNU bash, version 3.00.21(1)-release (i486-pc-linux-gnu�)
Copyright (C) 2004 Free Software Foundation, Inc.

rolf · #156 Post by **rolf** » Sat 04 Oct 2014, 22:53

rg66 wrote:Batch Patcher command line has been updated to v1.1.

I got this script and devx_431.sfs on my Puppy 4.3.1

With

cpu MHz : 300.632
and
MemTotal: 250352 kB

it took a little while but it worked, run from ssh cli.

The binary it produced is a little smaller than the one from mavrothal's 3.0.21 pet, which I'll stay with.

Code: Select all

# ls bash-3.0.21/bin -l
total 631
-rwxr-xr-x 1 root root 641708 2014-10-04 12:04 bash
# ls `which bash` -l
-rwxr-xr-x 1 root root 660100 2014-10-03 07:28 /bin/bash

Thanks.

Geoffrey · #157 Post by **Geoffrey** » Mon 06 Oct 2014, 05:25

Bash updated to version 4.3.30
http://www.murga-linux.com/puppy/viewto ... 669#801669

mavrothal · #158 Post by **mavrothal** » Mon 06 Oct 2014, 05:53

Bash-3.0.22.
Passes all tests.

Keep in mind that although older versions may not be vulnerable to given exploits, newer versions have better solutions for the given problems (till the next version of course...

)

6502coder · #159 Post by **6502coder** » Mon 06 Oct 2014, 06:01

@mathroval
Thanks! You must feel like a Puppy chasing his own tail...

dejan555 · #160 Post by **dejan555** » Mon 06 Oct 2014, 16:39

Mirrored, added and updated links to latest bash pets here:
http://www.murga-linux.com/puppy/viewto ... 075#801075

(old)Puppy Linux Discussion Forum

(old)Puppy Linux Discussion Forum

BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>

bash

mirroring