[gentoo-user] [Security] Update bash *NOW*

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-user] [Security] Update bash *NOW*
@ 2014-09-25  1:58 Walter Dnes
  2014-09-25 12:54 ` Kerin Millar
  0 siblings, 1 reply; 6+ messages in thread
From: Walter Dnes @ 2014-09-25  1:58 UTC (permalink / raw
  To: Gentoo Users List

  Slashdot article http://linux.slashdot.org/story/14/09/24/1638207/remote-exploit-vulnerability-found-in-bash

  Story at http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html

  CVE ID CVE-2014-6271 at http://seclists.org/oss-sec/2014/q3/650

  Summary... bash scripts, CGI, perl via "system()", and various other
"commands" invoke a bash shell at times, passing environmental variables
in the process.  Problem is that an "environmental variable" ***CAN
CONTAIN A FUNCTION DEFINITION, AND EXECUTE IT WHILST SPAWNING A NEW
SHELL***.  E.g. execute the command...

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

...and you get the following...

vulnerable
this is a test

  Replace...

x='() { :;}; echo vulnerable'

...with malicious stuff, and it could get ugly.  app-shells/bash-4.2_p48
has been pushed to Gentoo stable.  The same "env" command results in...

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] [Security] Update bash *NOW*
  2014-09-25  1:58 [gentoo-user] [Security] Update bash *NOW* Walter Dnes
@ 2014-09-25 12:54 ` Kerin Millar
  2014-09-25 12:58   ` Kerin Millar
                     ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Kerin Millar @ 2014-09-25 12:54 UTC (permalink / raw
  To: gentoo-user

On 25/09/2014 02:58, Walter Dnes wrote:

[snip]

> ...with malicious stuff, and it could get ugly.  app-shells/bash-4.2_p48
> has been pushed to Gentoo stable.  The same "env" command results in...

Unfortunately, that version did fully address the problem. Instead, 
upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were 
recently committed. For further details:

https://bugs.gentoo.org/show_bug.cgi?id=523592

--Kerin


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] [Security] Update bash *NOW*
  2014-09-25 12:54 ` Kerin Millar
@ 2014-09-25 12:58   ` Kerin Millar
  2014-09-25 14:02   ` covici
  2014-09-26  0:11   ` Walter Dnes
  2 siblings, 0 replies; 6+ messages in thread
From: Kerin Millar @ 2014-09-25 12:58 UTC (permalink / raw
  To: gentoo-user

On 25/09/2014 13:54, Kerin Millar wrote:
> On 25/09/2014 02:58, Walter Dnes wrote:
>
> [snip]
>
>> ...with malicious stuff, and it could get ugly.  app-shells/bash-4.2_p48
>> has been pushed to Gentoo stable.  The same "env" command results in...
>
> Unfortunately, that version did fully address the problem. Instead,
> upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were
> recently committed. For further details:
>
> https://bugs.gentoo.org/show_bug.cgi?id=523592
>

Oops. Obviously, I meant to write "did not fully address the problem".

--Kerin


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] [Security] Update bash *NOW*
  2014-09-25 12:54 ` Kerin Millar
  2014-09-25 12:58   ` Kerin Millar
@ 2014-09-25 14:02   ` covici
  2014-09-25 14:09     ` Tomas Mozes
  2014-09-26  0:11   ` Walter Dnes
  2 siblings, 1 reply; 6+ messages in thread
From: covici @ 2014-09-25 14:02 UTC (permalink / raw
  To: gentoo-user

Kerin Millar <kerframil@fastmail.co.uk> wrote:

> On 25/09/2014 02:58, Walter Dnes wrote:
> 
> [snip]
> 
> > ...with malicious stuff, and it could get ugly.  app-shells/bash-4.2_p48
> > has been pushed to Gentoo stable.  The same "env" command results in...
> 
> Unfortunately, that version did fully address the problem. Instead,
> upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were
> recently committed. For further details:
> 
> https://bugs.gentoo.org/show_bug.cgi?id=523592
I cannot update to that, its not in the tree as of last night.

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici
         covici@ccs.covici.com


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] [Security] Update bash *NOW*
  2014-09-25 14:02   ` covici
@ 2014-09-25 14:09     ` Tomas Mozes
  0 siblings, 0 replies; 6+ messages in thread
From: Tomas Mozes @ 2014-09-25 14:09 UTC (permalink / raw
  To: gentoo-user; +Cc: covici

On 2014-09-25 16:02, covici@ccs.covici.com wrote:
> Kerin Millar <kerframil@fastmail.co.uk> wrote:
> 
>> On 25/09/2014 02:58, Walter Dnes wrote:
>> 
>> [snip]
>> 
>> > ...with malicious stuff, and it could get ugly.  app-shells/bash-4.2_p48
>> > has been pushed to Gentoo stable.  The same "env" command results in...
>> 
>> Unfortunately, that version did fully address the problem. Instead,
>> upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were
>> recently committed. For further details:
>> 
>> https://bugs.gentoo.org/show_bug.cgi?id=523592
> I cannot update to that, its not in the tree as of last night.

Try to rsync from some other mirror.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] [Security] Update bash *NOW*
  2014-09-25 12:54 ` Kerin Millar
  2014-09-25 12:58   ` Kerin Millar
  2014-09-25 14:02   ` covici
@ 2014-09-26  0:11   ` Walter Dnes
  2 siblings, 0 replies; 6+ messages in thread
From: Walter Dnes @ 2014-09-26  0:11 UTC (permalink / raw
  To: gentoo-user

On Thu, Sep 25, 2014 at 01:54:10PM +0100, Kerin Millar wrote
> On 25/09/2014 02:58, Walter Dnes wrote:
> 
> [snip]
> 
> > ...with malicious stuff, and it could get ugly.  app-shells/bash-4.2_p48
> > has been pushed to Gentoo stable.  The same "env" command results in...
> 
> Unfortunately, that version did fully address the problem. Instead, 
> upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were 
> recently committed. For further details:
> 
> https://bugs.gentoo.org/show_bug.cgi?id=523592
> 
> --Kerin

  OK, I've got app-shells/bash-4.2_p48-r1 installed now.

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2014-09-26  0:11 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-09-25  1:58 [gentoo-user] [Security] Update bash *NOW* Walter Dnes
2014-09-25 12:54 ` Kerin Millar
2014-09-25 12:58   ` Kerin Millar
2014-09-25 14:02   ` covici
2014-09-25 14:09     ` Tomas Mozes
2014-09-26  0:11   ` Walter Dnes

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox