Debian User Forums


https://forums.debian.net/

Remote exploit vulnerability in bash

https://forums.debian.net/viewtopic.php?t=117606

Page 1 of 2

Remote exploit vulnerability in bash

Posted: 2014-09-24 19:00
by dasein
FYI: http://www.csoonline.com/article/268726 ... -6271.html

Re: Remote exploit vulnerability in bash

Posted: 2014-09-24 20:33
by kedaha
Thanks for your post; I see at dsa-3032:
For the stable distribution (wheezy), this problem has been fixed in version 4.2+dfsg-0.1+deb7u1.
So I've updated server and desktop immediately.

Code: Select all

# aptitude dist-upgrade
The following packages will be upgraded: 
  apt apt-utils bash libapt-inst1.5 libapt-pkg4.12
Fixed.

Re: Remote exploit vulnerability in bash

Posted: 2014-09-24 20:49
by Hallvor
Thank you.

Re: Remote exploit vulnerability in bash

Posted: 2014-09-25 22:06
by kedaha
I see it's been called the "Shell Shock Bug". And the the news media are making quite a meal out of it.
Anyway, just in case: DashAsBinSh. 8)

Re: Remote exploit vulnerability in bash

Posted: 2014-09-26 02:47
by Spock
https://security-tracker.debian.org/tra ... -2014-6271
https://security-tracker.debian.org/tra ... -2014-7169

Re: Remote exploit vulnerability in bash

Posted: 2014-09-26 15:38
by dasein
And the script kiddies are off... http://www.itnews.com.au/News/396197,fi ... works.aspx

Re: Remote exploit vulnerability in bash

Posted: 2014-09-26 21:37
by dasein
Sometimes the obvious fix isn't actually, well, you know... a fix.

http://arstechnica.com/security/2014/09 ... first-fix/

Re: Remote exploit vulnerability in bash

Posted: 2014-09-27 01:39
by Spock
http://en.wikipedia.org/wiki/Shellshock ... are_bug%29

Re: Remote exploit vulnerability in bash

Posted: 2014-09-27 06:36
by kedaha
My server's configured to use dash:

Code: Select all

$ apt-cache policy dash
dash:
  Installed: 0.5.7-3
Out of curiosity, I simulated (since curiosity killed the cat) removing bash and got:

Code: Select all

$ aptitude remove -s bash
The following packages will be REMOVED:  
  bash 
0 packages upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Need to get 0 B of archives. After unpacking 3,739 kB will be freed.
The following ESSENTIAL packages will be REMOVED!
  bash 

WARNING: Performing this action will probably cause your system to break!
         Do NOT continue unless you know EXACTLY what you are doing!
To continue, type the phrase "I am aware that this is a very bad idea":
I am aware that this is a very bad idea
Would download/install/remove packages.
I have no intention of removing bash but, I just wondered if this might also be "a very bad idea" when the system has been reconfigured to use dash as the default system shell. My guess is that it could be removed providing essential dependences didn't get removed with it.

Re: Remote exploit vulnerability in bash

Posted: 2014-09-27 13:04
by micksulley
How do I fix this????

My version is
Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.57-3

I have run
apt-get update
apt-get upgrade
and it tells me everything is up to date but running the test I get

mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test

Advise please????

Re: Remote exploit vulnerability in bash

Posted: 2014-09-27 13:40
by n_hologram
have you tried:

# apt-get dist-upgrade

Re: Remote exploit vulnerability in bash

Posted: 2014-09-27 15:53
by micksulley
Yes I tried that and it didn't work -

Code: Select all

mick@mick-deb-laptop:~$ sudo apt-get dist-upgrade
[sudo] password for mick: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
mick@mick-deb-laptop:~$ 
mick@mick-deb-laptop:~$ 
mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
mick@mick-deb-laptop:~$

Re: Remote exploit vulnerability in bash

Posted: 2014-09-27 16:11
by Bulkley
micksulley wrote: mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test

Advise please????
Show us your sources.

Re: Remote exploit vulnerability in bash

Posted: 2014-09-27 16:38
by micksulley
deb http://download.virtualbox.org/virtualbox/debian/ wheezy contrib
deb http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb http://ftp.uk.debian.org/debian/ wheezy main non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy main non-free
deb http://www.deb-multimedia.org/ wheezy main non-free
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

Re: Remote exploit vulnerability in bash

Posted: 2014-09-27 16:46
by dasein
Repo mixing and matching doesn't work across stable versions, either.

If you've been running Debian for two years, then it's probably time to learn the basics of Debian releases and repositories.

https://www.debian.org/releases/
https://wiki.debian.org/SourcesList

Re: Remote exploit vulnerability in bash

Posted: 2014-09-27 18:01
by micksulley
I added the squeeze-lts today as it was suggested in a thread I found as a supposed fix for this. I have just removed them again and it still does not work.

Code: Select all

mick@mick-deb-laptop:~$ sudo apt-get dist-upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
mick@mick-deb-laptop:~$
source is now

deb http://download.virtualbox.org/virtualbox/debian/ wheezy contrib
deb http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb http://ftp.uk.debian.org/debian/ wheezy main non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy main non-free
deb http://www.deb-multimedia.org/ wheezy main non-free
# deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
# deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

Re: Remote exploit vulnerability in bash

Posted: 2014-09-28 06:37
by teeitup
What version of bash is actually installed?

Your sources list has a duplicate repository with a more restrictive component list.

Re: Remote exploit vulnerability in bash

Posted: 2014-09-28 08:21
by Hallvor
micksulley: What is the point of hijacking this thread? This is general discussion.

Re: Remote exploit vulnerability in bash

Posted: 2014-09-28 08:45
by micksulley
teeitup wrote:What version of bash is actually installed?

Your sources list has a duplicate repository with a more restrictive component list.
Bash version is 4.2.37(1)-release (x86_64-pc-linux-gnu)


Sorry I don't understand your comment about a more restrictive component list, which one should I remove?

Thanks
Mick

Re: Remote exploit vulnerability in bash

Posted: 2014-09-28 10:37
by kedaha
@micksulley: By the way, you should definitely include security in your SourcesList:

Code: Select all

deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free
All times are UTC
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited