Arch Linux

Awebb

Member

Registered: 2010-05-06

Posts: 6,688

Re: Bash CVE-2014-6271 Vulnerability

Apparently the media is trying to *bash* the *nix community with this one.  Another *convenient* reason to use M$.  Looks like to me the problem is already half solved.

Yes, the "media" have been picking on every security hole since Heartbleed was made public.

Scripts which specifies #!/bin/bash are entitled to use bashism, since they're asking for it.

Oh, oh... geek shirt incomming.

#!/bin/bash
printf "Now tell me I asked for it!\n"

W.F.Cody

Member

From: Ghent

Registered: 2010-11-18

Posts: 155

Re: Bash CVE-2014-6271 Vulnerability

There are many, many things that depend on bashisms, Arch's package management system being one. Getting rid of bash completely is going to be difficult.

Scripts which specifies #!/bin/bash are entitled to use bashism, since they're asking for it.
Scripts which specifies #!/bin/sh must not use bashism, or that's a bug.
From what I gather, nowadays #!/bin/sh scripts are mostly free of bashism -- at least they work with dash.

I relinked /bin/sh to dash just to reduce the number of calls to bash (using zsh as user shell). I do not intend it to become "bash bashing" but for the remaining scripts in Arch linux explicitly calling on Bash - are they all dependent on bash-specific functionality or simply called that way out of habit? I tried to search around whether mksh or dash is best, but since /bin/sh is used in non-interactive stuff I did not find it very important with the nicer stuff mksh provided.

From a general principle point of view, having as much as possible "sh" compatible in the base system would increase choice and thereby diversity - which at least I see as a good thing... but this is pretty off topic (apart from bein a way to escape this rather scary bug).

---

My AUR packages
Any package of mine is up for grabs. If you think you could mantain it better - just contact me!

stevenhoneyman

Member

From: England

Registered: 2014-05-25

Posts: 241

Re: Bash CVE-2014-6271 Vulnerability

I tried to search around whether mksh or dash is best, but since /bin/sh is used in non-interactive stuff I did not find it very important with the nicer stuff mksh provided.

Here's a good quick overview: http://rosettacode.org/wiki/Category:UN … ison_table

---

My: [ GitHub | AUR Packages ]

rsmarples

Member

Registered: 2009-05-12

Posts: 287

Re: Bash CVE-2014-6271 Vulnerability

dhcpcd-6.4.7 has been released to migiate this problem by applying extra sanitisation to variables before passing to the shell, which may or may not be bash.

cfr

Member

From: Cymru

Registered: 2011-11-27

Posts: 7,156

Re: Bash CVE-2014-6271 Vulnerability

The output means your bash is not vulnerable. A vulnerable bash should have created a file ./echo with "vulnerable" in it.
EDIT: don't worry, our packager is doing a good job. We are using the Red Hat patches, not only the official ones from bash upstream.

That's not how I understood it. From that Red Hat thread, I understood that a patched Red Hat system would not return 'vulnerable' at all. The output I'm getting suggests that the bash I am using is patched but only partially (relative to the Red Hat patches).

This is not necessarily a criticism of the packager. I don't know what pros and cons there are to applying Red Hat's patches either in general or to Arch in particular. I'm not at all claiming that those patches should be applied to Arch. I'm just saying they don't appear to be applied.

I'm not worried about my Arch system since, unless I am gravely mistaken, this threat applies - or applies primarily - to severs, and I am not running (public) servers on my Arch box. [I am more worried about my Fedora system but, even there, as I understand it secure shell is not especially vulnerable.]

I wonder if the increasing number of media splashes concerning security vulnerabilities in unix-like software reflects increasing research on those systems or if it is primarily a result of their higher profile. (When Windows was everywhere, obscure bugs in other systems were not very interesting. I realise that servers were different. But people don't think in those terms. Which is why the Times labels this as a Mac OS X bug, even though the threat is not mostly to systems running OS X since most OS X machines are not running servers.)

[EDIT: My Fedora box gives the same result as Arch. But I'm not sure what the status of Red Hat's patches is in terms of pushing them to the stable updates for non-testing systems.]

Last edited by cfr (2014-09-27 22:39:54)

---

CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Allan

Pacman

From: Brisbane, AU

Registered: 2007-06-09

Posts: 11,510

Website

Re: Bash CVE-2014-6271 Vulnerability

You are wrong.  No line says "vulnerable".   It does say "echo vulnerable", which is different.

From a vulnerable shell:

$ env 'x=() { :;}; echo vulnerable' 'f=() { (a)=>\' \
\      bash -c 'echo echo vulnerable'; cat echo
vulnerable
bash: f: line 1: syntax error near unexpected token `='
bash: f: line 1: `'
bash: error importing function definition for `f'
vulnerable

---

PGP Key: F99FFE0FEAE999BD | I develop pacman - buy me a drink!

smirky

Member

From: Bulgaria

Registered: 2013-02-23

Posts: 277

Website

Re: Bash CVE-2014-6271 Vulnerability

Yes, the "media" have been picking on every security hole since Heartbleed was made public.

If that's true, we should be thankful. The more our security gets compromised, the more UNIX (in our case Linux) will be:

awesome++;

We all benefit from this!

Last edited by smirky (2014-09-28 06:26:38)

---

Personal spot  ::  https://www.smirky.net/  ::  Try not to get lost!

jancici

Member

From: svk

Registered: 2011-12-04

Posts: 192

Re: Bash CVE-2014-6271 Vulnerability

I am using zsh. So I have installed only zsh on my deskotop and laptop.
should I do something?
I am not sure if som program, or something need bash what happen.

thanks ...

Awebb

Member

Registered: 2010-05-06

Posts: 6,688

Re: Bash CVE-2014-6271 Vulnerability

I am using zsh. So I have installed only zsh on my deskotop and laptop.
should I do something?
I am not sure if som program, or something need bash what happen.

thanks ...

Replacing bash entirely or rather why it has not been done.

google search term: "replace bash arch" second hit

Scimmia

Fellow

Registered: 2012-09-01

Posts: 12,431

Re: Bash CVE-2014-6271 Vulnerability

I am using zsh. So I have installed only zsh on my deskotop and laptop.
should I do something?
I am not sure if som program, or something need bash what happen.

thanks ...

Just update your system like normal.

karol

Archivist

Registered: 2009-05-06

Posts: 25,440

Re: Bash CVE-2014-6271 Vulnerability

I am using zsh. So I have installed only zsh on my deskotop and laptop.
should I do something?
I am not sure if som program, or something need bash what happen.

thanks ...

'pacman -Qi bash' will give you some info.

jancici

Member

From: svk

Registered: 2011-12-04

Posts: 192

Re: Bash CVE-2014-6271 Vulnerability

@awebb
thanks for pinting me to that thread

@karol
yes, I did find out that I have still installed bash ...

skanky

Member

From: WAIS

Registered: 2009-10-23

Posts: 1,847

Re: Bash CVE-2014-6271 Vulnerability

@awebb
thanks for pinting me to that thread

@karol
yes, I did find out that I have still installed bash ...

Just make sure that its version is >= 4.3.026-1

See here for details: http://allanmcrae.com/2014/09/shellshoc … rch-linux/

---

"...one cannot be angry when one looks at a penguin."  - John Ruskin
"Life in general is a bit shit, and so too is the internet. And that's all there is." - scepticisle