Hi,
a remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271 and has been given the name Shellshock by some folks out here.
Debian Wheezy (and Squeeze LTS) as well as other Linux distributions have provided security upgrades already; but maybe in case you have to patch an old Debian Lenny distribution you might find it useful, that I’ve fixed and recompiled the latest official Debian Lenny bash v3.2 with the latest patches up to #52 (CVE-2014-6271).
UPDATE: #53 (CVE-2014-7169) has now been included to bash (3.2-15)!
UPDATE: I’ve recompiled this package including #54 by Florian Weimer to resolve an additional issue with clashes; like i.e.
env X='() { (a)=>\’ sh -c “echo date”; cat echo
Please update your package to version bash version 3.2-16!
You may grab the binaries here: https://4ufiles.flo.sh/bash/debian-lenny/
-Flo
Thanks for putting the bash debian packages up. It appears that these fix the original vulnerability but not the second version, i.e.
env X='() { (a)=>\’ sh -c “echo date”; cat echo
is not meant to show the current date. (Example taken from http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an)
Are you planning to also patch that and update the deb package for Lennny?
Thanks
Hey Hans,
thank you for this hint.
I’ve recompiled bash32 once more tonight including patch level #53.
-Flo
Thanks for the update. It still doesn’t fix all vulnerabilities I am afraid:
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
date
Sat Sep 27 08:36:07 BST 2014
I believe it shouldn’t show the date 😉
This is the second vulnerability as summarised at http://arstechnica.com/security/2014/09/new-shellshock-patch-rushed-out-to-resolve-gaps-in-first-fix/
For reference: this is based on the 3.2-15 deb package:
$ apt-cache show bash
Package: bash
Essential: yes
Status: install ok installed
Priority: required
Section: shells
Installed-Size: 1232
Maintainer: Matthias Klose
Architecture: i386
Version: 3.2-15
Thanks
Hi Hans,
thank you for this important notice!
I’ve ran debian/rules clean and dpkg-buildpackage once more on the sources and now I do not get any date response:
[23:28:49] root@roadrunner: /usr/src/bash/bash-3.2> env X='() { (a)=>\’ sh -c “echo date”; cat echo
sh: X: line 1: syntax error near unexpected token `=’
sh: X: line 1: `’
sh: error importing function definition for `X’
date
cat: echo: No such file or directory
Please retry again and let me know if it works now as expected for you.
-Flo
I think it is fine now – many thanks!
Hi Hans,
Florian Weimer has provided an additional patch for bash3.2 resolving this issue correctly. Please update your bash once more to 3.2-16.
-Flo
Hi,
please take this issue on your radar again.
Meanwhile the following CVEs have been patched: CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 and exploit 3 on http://shellshocker.net/ (remark: adding all bash32 bugfixed up to #57).
I’ve updated the binaries to bash (3.2-17)…
-Flo