[opensuse] Security: bash: still vulnerable ( CVE-2014-6277 )
Hello, I just updated my SuSE 13.1 system, bash to GNU bash, version 4.2.47(1)-release (x86_64-suse-linux-gnu) which is bash-4.2-68.8.1.x86_64.rpm But according to https://shellshocker.net/ I am still vulnerable to Exploit 7 (CVE-2014-6277) :
bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable Segmentation fault vulnerable
I read "Note from the SUSE Security Team This issue is already mitigated by the function hardening patch introduced in the update for CVE-2014-7169. Novell Bugzilla entries: 898664, 898762, 898812, 898884 " [ http://support.novell.com/security/cve/CVE-2014-6277.html ] which does not seem to be the correct. Any ideas when this will be fixed? BR ME -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, 2014-10-08 at 20:23 +0200, MarkusGMX wrote:
Hello,
I just updated my SuSE 13.1 system, bash to GNU bash, version 4.2.47(1)-release (x86_64-suse-linux-gnu) which is bash-4.2-68.8.1.x86_64.rpm
But according to https://shellshocker.net/ I am still vulnerable to Exploit 7 (CVE-2014-6277) :
bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable Segmentation fault vulnerable
I read "Note from the SUSE Security Team This issue is already mitigated by the function hardening patch introduced in the update for CVE-2014-7169.
Novell Bugzilla entries: 898664, 898762, 898812, 898884 " [ http://support.novell.com/security/cve/CVE-2014-6277.html ]
which does not seem to be the correct.
Any ideas when this will be fixed?
BR ME It's not actually vulnerable to attack, it's simply crashing. If I recall there is already a patch in the pipes coming soon.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/08/2014 11:23 AM, MarkusGMX wrote:
bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable Segmentation fault vulnerable
Since it core dumps, it returns to the prior process, and It doesn't appear to gain access to anything that could be exploited (other than creating a not very big core). -- Explain again the part about rm -rf / -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Oct 08, 2014 at 08:23:42PM +0200, MarkusGMX wrote:
Hello,
I just updated my SuSE 13.1 system, bash to GNU bash, version 4.2.47(1)-release (x86_64-suse-linux-gnu) which is bash-4.2-68.8.1.x86_64.rpm
But according to https://shellshocker.net/ I am still vulnerable to Exploit 7 (CVE-2014-6277) :
bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable Segmentation fault vulnerable
I read "Note from the SUSE Security Team This issue is already mitigated by the function hardening patch introduced in the update for CVE-2014-7169.
Novell Bugzilla entries: 898664, 898762, 898812, 898884 " [ http://support.novell.com/security/cve/CVE-2014-6277.html ]
which does not seem to be the correct.
Any ideas when this will be fixed?
I fixed the script on shellshocker.net. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Well, this is interesting. Last week: jdebert@demonstrabo:~> bash -c "f() { x() { _;}; x() { _;} <<a; }"\ 2>/dev/null || echo vulnerable jdebert@demonstrabo:~> Today: jdebert@demonstrabo:~> bash -c "f() { x() { _;}; x() { _;} <<a; }"\ 2>/dev/null || echo vulnerable Segmentation fault vulnerable jdebert@demonstrabo:~> jdebert@demonstrabo:~> rpm -q bash bash-4.2-61.15.1.i586 jd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, Oct 12, 2014 at 09:06:59AM -0700, jdebert wrote:
Well, this is interesting.
Last week:
jdebert@demonstrabo:~> bash -c "f() { x() { _;}; x() { _;} <<a; }"\ 2>/dev/null || echo vulnerable jdebert@demonstrabo:~>
Today:
jdebert@demonstrabo:~> bash -c "f() { x() { _;}; x() { _;} <<a; }"\ 2>/dev/null || echo vulnerable Segmentation fault vulnerable jdebert@demonstrabo:~>
Doesn't bashes documentation explain that this is suposed to happen?
jdebert@demonstrabo:~> rpm -q bash bash-4.2-61.15.1.i586
jd
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/12/2014 06:06 PM, jdebert wrote:
bash -c "f() { x() { _;}; x() { _;} <<a; }"\ 2>/dev/null || echo vulnerable Segmentation fault vulnerable
I'd file a bug for this. It's "nice" that the few existing shellshocker tests pass, but it's not okay that bash segfaults in other cases. Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Please Marcus, I'm confused. www:~ # bash -c "f() { x() { _;}; x() { _;} <<a; }"\
2>/dev/null || echo vulnerable Segmentation fault vulnerable www:~ # rpm -q bash bash-4.2-61.15.1.i586
That is after doing an update Ruben On Fri, Oct 10, 2014 at 08:10:41AM +0200, Marcus Meissner wrote:
On Wed, Oct 08, 2014 at 08:23:42PM +0200, MarkusGMX wrote:
Hello,
I just updated my SuSE 13.1 system, bash to GNU bash, version 4.2.47(1)-release (x86_64-suse-linux-gnu) which is bash-4.2-68.8.1.x86_64.rpm
But according to https://shellshocker.net/ I am still vulnerable to Exploit 7 (CVE-2014-6277) :
bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable Segmentation fault vulnerable
I read "Note from the SUSE Security Team This issue is already mitigated by the function hardening patch introduced in the update for CVE-2014-7169.
Novell Bugzilla entries: 898664, 898762, 898812, 898884 " [ http://support.novell.com/security/cve/CVE-2014-6277.html ]
which does not seem to be the correct.
Any ideas when this will be fixed?
I fixed the script on shellshocker.net.
Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, The current advice on the shellshocker.net web site is to run the following: curl https://shellshocker.net/shellshock_test.sh | bash On a 13.1 system with bash-4.2-68.8.1.x86_64, every test results in a "not vulnerable" message.... Brendan On 12/10/14 19:40, Ruben Safir wrote:
Please Marcus, I'm confused.
www:~ # bash -c "f() { x() { _;}; x() { _;} <<a; }"\
2>/dev/null || echo vulnerable Segmentation fault vulnerable www:~ # rpm -q bash bash-4.2-61.15.1.i586
That is after doing an update
Ruben
On Fri, Oct 10, 2014 at 08:10:41AM +0200, Marcus Meissner wrote:
On Wed, Oct 08, 2014 at 08:23:42PM +0200, MarkusGMX wrote:
Hello,
I just updated my SuSE 13.1 system, bash to GNU bash, version 4.2.47(1)-release (x86_64-suse-linux-gnu) which is bash-4.2-68.8.1.x86_64.rpm
But according to https://shellshocker.net/ I am still vulnerable to Exploit 7 (CVE-2014-6277) :
bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable Segmentation fault vulnerable
I read "Note from the SUSE Security Team This issue is already mitigated by the function hardening patch introduced in the update for CVE-2014-7169.
Novell Bugzilla entries: 898664, 898762, 898812, 898884 " [ http://support.novell.com/security/cve/CVE-2014-6277.html ]
which does not seem to be the correct.
Any ideas when this will be fixed?
I fixed the script on shellshocker.net.
Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/12/2014 03:19 PM, Brendan McKenna wrote:
The current advice on the shellshocker.net web site is to run the following:
curl https://shellshocker.net/shellshock_test.sh | bash
On a 13.1 system with bash-4.2-68.8.1.x86_64, every test results in a "not vulnerable" message....
Same here -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hello, On Sun, 12 Oct 2014, James Knott wrote:
On 10/12/2014 03:19 PM, Brendan McKenna wrote:
The current advice on the shellshocker.net web site is to run the following:
curl https://shellshocker.net/shellshock_test.sh | bash
On a 13.1 system with bash-4.2-68.8.1.x86_64, every test results in a "not vulnerable" message....
Same here
Same here on 12.1 with the "just linked to Base:System/bash" package I build for 12.1-13.1 + Tumbleweed ... $ rpm -q --qf '%{name}-%{version}-%{release}\n%{distribution}\n%{buildtime:date}\n' bash bash-4.2-255.1 home:dnh / openSUSE_12.1_Update_standard Mon 06 Oct 2014 10:32:03 AM CEST $ bash shellshock_test.sh CVE-2014-6271 (original shellshock): not vulnerable CVE-2014-6277 (segfault): not vulnerable CVE-2014-6278 (Florian's patch): not vulnerable CVE-2014-7169 (taviso bug): not vulnerable CVE-2014-7186 (redir_stack bug): not vulnerable CVE-2014-7187 (nested loops off by one): not vulnerable CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable -dnh -- Sheridan: "I'll tell you one thing. If the primates that we came from had known that some day politicians would come out of the gene pool, they'd have stayed up in the trees and written evolution off as a bad idea!" -- Babylon 5, 2x04 - A Distant Star -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Oct 13, 2014 at 06:38:36AM +0200, David Haller wrote:
Hello,
On Sun, 12 Oct 2014, James Knott wrote:
On 10/12/2014 03:19 PM, Brendan McKenna wrote:
The current advice on the shellshocker.net web site is to run the following:
curl https://shellshocker.net/shellshock_test.sh | bash
On a 13.1 system with bash-4.2-68.8.1.x86_64, every test results in a "not vulnerable" message....
Same here
Same here on 12.1 with the "just linked to Base:System/bash" package I build for 12.1-13.1 + Tumbleweed ...
$ rpm -q --qf '%{name}-%{version}-%{release}\n%{distribution}\n%{buildtime:date}\n' bash bash-4.2-255.1 home:dnh / openSUSE_12.1_Update_standard Mon 06 Oct 2014 10:32:03 AM CEST $ bash shellshock_test.sh CVE-2014-6271 (original shellshock): not vulnerable CVE-2014-6277 (segfault): not vulnerable CVE-2014-6278 (Florian's patch): not vulnerable CVE-2014-7169 (taviso bug): not vulnerable CVE-2014-7186 (redir_stack bug): not vulnerable CVE-2014-7187 (nested loops off by one): not vulnerable CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
Thats because I fixed the test on shellshocker.net to detect the actual security issue "better". The actuall bash segfault (not a security issue) might still be there, but either a bash fix was pushed already or will be. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, Oct 12, 2014 at 02:40:34PM -0400, Ruben Safir wrote:
Please Marcus, I'm confused.
www:~ # bash -c "f() { x() { _;}; x() { _;} <<a; }"\
2>/dev/null || echo vulnerable Segmentation fault vulnerable www:~ # rpm -q bash bash-4.2-61.15.1.i586
That is after doing an update
This non-security bug was also fixed in the meantime (during my vacation). Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (10)
-
Bernhard Voelker -
Brendan McKenna -
David Haller -
James Knott -
jdebert -
John Andersen -
Marcus Meissner -
MarkusGMX -
Roger Luedecke -
Ruben Safir