Page 1 of 3

Remote exploit vulnerability in bash

PostPosted: 2014-09-24 19:00
by dasein

Re: Remote exploit vulnerability in bash

PostPosted: 2014-09-24 20:33
by kedaha
Thanks for your post; I see at dsa-3032:
For the stable distribution (wheezy), this problem has been fixed in version 4.2+dfsg-0.1+deb7u1.

So I've updated server and desktop immediately.
Code: Select all
# aptitude dist-upgrade
The following packages will be upgraded:
  apt apt-utils bash libapt-inst1.5 libapt-pkg4.12

Fixed.

Re: Remote exploit vulnerability in bash

PostPosted: 2014-09-24 20:49
by Hallvor
Thank you.

Re: Remote exploit vulnerability in bash

PostPosted: 2014-09-25 22:06
by kedaha
I see it's been called the "Shell Shock Bug". And the the news media are making quite a meal out of it.
Anyway, just in case: DashAsBinSh. 8)

Re: Remote exploit vulnerability in bash

PostPosted: 2014-09-26 02:47
by Spock

Re: Remote exploit vulnerability in bash

PostPosted: 2014-09-26 15:38
by dasein

Re: Remote exploit vulnerability in bash

PostPosted: 2014-09-26 21:37
by dasein
Sometimes the obvious fix isn't actually, well, you know... a fix.

http://arstechnica.com/security/2014/09 ... first-fix/

Re: Remote exploit vulnerability in bash

PostPosted: 2014-09-27 01:39
by Spock

Re: Remote exploit vulnerability in bash

PostPosted: 2014-09-27 06:36
by kedaha
My server's configured to use dash:
Code: Select all
$ apt-cache policy dash
dash:
  Installed: 0.5.7-3

Out of curiosity, I simulated (since curiosity killed the cat) removing bash and got:
Code: Select all
$ aptitude remove -s bash
The following packages will be REMOVED: 
  bash
0 packages upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Need to get 0 B of archives. After unpacking 3,739 kB will be freed.
The following ESSENTIAL packages will be REMOVED!
  bash

WARNING: Performing this action will probably cause your system to break!
         Do NOT continue unless you know EXACTLY what you are doing!
To continue, type the phrase "I am aware that this is a very bad idea":
I am aware that this is a very bad idea
Would download/install/remove packages.

I have no intention of removing bash but, I just wondered if this might also be "a very bad idea" when the system has been reconfigured to use dash as the default system shell. My guess is that it could be removed providing essential dependences didn't get removed with it.

Re: Remote exploit vulnerability in bash

PostPosted: 2014-09-27 13:04
by micksulley
How do I fix this????

My version is
Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.57-3

I have run
apt-get update
apt-get upgrade
and it tells me everything is up to date but running the test I get

mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test

Advise please????

Re: Remote exploit vulnerability in bash

PostPosted: 2014-09-27 13:40
by n_hologram
have you tried:

# apt-get dist-upgrade

Re: Remote exploit vulnerability in bash

PostPosted: 2014-09-27 15:53
by micksulley
Yes I tried that and it didn't work -

Code: Select all
mick@mick-deb-laptop:~$ sudo apt-get dist-upgrade
[sudo] password for mick:
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
mick@mick-deb-laptop:~$
mick@mick-deb-laptop:~$
mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
mick@mick-deb-laptop:~$


Re: Remote exploit vulnerability in bash

PostPosted: 2014-09-27 16:11
by Bulkley
micksulley wrote:mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test

Advise please????


Show us your sources.

Re: Remote exploit vulnerability in bash

PostPosted: 2014-09-27 16:38
by micksulley
deb http://download.virtualbox.org/virtualbox/debian/ wheezy contrib
deb http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb http://ftp.uk.debian.org/debian/ wheezy main non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy main non-free
deb http://www.deb-multimedia.org/ wheezy main non-free
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

Re: Remote exploit vulnerability in bash

PostPosted: 2014-09-27 16:46
by dasein
Repo mixing and matching doesn't work across stable versions, either.

If you've been running Debian for two years, then it's probably time to learn the basics of Debian releases and repositories.

https://www.debian.org/releases/
https://wiki.debian.org/SourcesList