Announcement

Collapse
No announcement yet.

A new BASH bug?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #31
    I noticed another bash update this morning. Interestingly, the BlueTooth firmware was also updated.

    As I said before, there will probably be several updates before this bash bug is finally bashed.

    I was somewhat miffed at the reporting of this bug because I interpreted the CVE entry to say that the bug was discovered on 9/9/14 but not reported until 9/24/14. It is long been a mantra in Linux that bugs are reported ASAP, along with proof of concept code, to allow users to adjust their system and/or behavior so as to avoid being affected by the bug. It is well known that proprietary systems frequently keep bugs secret until, for what ever reason, they announce the bug and the patch on the same day, then claim "zero day" fixes. Meanwhile, they sit on other bugs for months or years, or even tell customers that if they want a bug fixed then buy the next version of the OS. Nice. Using their own insecurities as a profit center. I was miffed because I thought RedHat was doing the same thing. Rechecking the CVE I noticed some fine print:
    20140909 Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
    So, the bash bug may not have been or was NOT discovered on the 9th and announced on the 24th like I had originally concluded. it was an ASAP announcement.
    Last edited by GreyGeek; Sep 27, 2014, 10:05 AM.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    Comment


      #32
      Originally posted by SteveRiley View Post
      It will end when software becomes perfect. But since software is written by humans, and humans can never be perfect, we will never have flawless software.



      Thank You, Thank You, Thank You!!!! You know how many times I try to tell people that and they still think software is or should be perfect?!!!!

      Comment


        #33
        Specifically, the test specifies:
        There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:

        env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

        If the system is vulnerable, the output will be:

        Code:
        vulnerable
         this is a test
        An unaffected (or patched) system will output:
        Code:
        bash: warning: x: ignoring function definition attempt
         bash: error importing function definition for `x'
         this is a test
        There was another bash update today. Running the test above now shows:
        paul@tanagra:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
        this is a test
        paul@tanagra:~$
        Won't be getting bashed by bash exploit here.
        Windows no longer obstructs my view.
        Using Kubuntu Linux since March 23, 2007.
        "It is a capital mistake to theorize before one has data." - Sherlock Holmes

        Comment


          #34
          Originally posted by kubicle View Post
          dhcp is one of the things that seems vulnerable (but if you're connecting to a malicious dhcp daemon [on an insecure network], you're likely in a world of hurt already)
          Ever set up a DHCP server on the free wireless network in, say, an airport?

          Comment


            #35
            Another bash upgrade today. Thats the third one so far.

            Comment


              #36
              Originally posted by SteveRiley View Post
              It will end when software becomes perfect. But since software is written by humans, and humans can never be perfect, we will never have flawless software.
              THE HORROR! What ever will we do? I know, let's ask the government to step in. No, wait, that didn't work last time either. I guess we'll just have to grin and bear it...

              Be glad this isn't Windoze...
              Last edited by TWPonKubuntu; Sep 28, 2014, 11:24 AM.
              Kubuntu 24.11 64bit under Kernel 6.12.3, Hp Pavilion, 6MB ram. Stay away from all things Google...

              Comment


                #37
                Originally posted by TWPonKubuntu View Post
                Be glad this isn't Windoze...
                Why, because Windows, while having its own share of vulnerabilities that have taken a few years to fix, never had one so old as this?

                Or because Microsoft also has the capability of releasing emergency out-of-band patches for remote-access vulnerabilities that have exploit code in the wild?

                I fail to understand why people still have the urge to make security comparisons. All software has bugs. Some bugs enable malicious behavior. What matters is that the industry as a whole continue to improve code quality, redouble its efforts at examining legacy code, and remain vigilant against adversaries.

                Comment


                  #38
                  OK I'll bite... how would we know if there are old vulnerabilities in Windows without being able to see the code? I guess you've seen it, but it's just a black box to the rest of us.

                  I guess you can say there has never been a vulnerability discovered and published, but it must be more difficult to find bugs when you can't read the code!

                  I do agree with your point about comparisons being a bit of a waste of time. I wonder if the BASH vulnerability was discovered because someone thought to have a rummage through some old code after heartbleed was discovered... hopefully all of this will result in more code audits by professionals and hobbyists alike, there are bound to be more bugs to find. Gotta catch 'em all
                  samhobbs.co.uk

                  Comment


                    #39
                    Originally posted by SteveRiley View Post
                    Why, because Windows, while having its own share of vulnerabilities that have taken a few years to fix, never had one so old as this?

                    Or because Microsoft also has the capability of releasing emergency out-of-band patches for remote-access vulnerabilities that have exploit code in the wild?

                    I fail to understand why people still have the urge to make security comparisons. All software has bugs. Some bugs enable malicious behavior. What matters is that the industry as a whole continue to improve code quality, redouble its efforts at examining legacy code, and remain vigilant against adversaries.
                    My opinion here:
                    [rant]
                    The M$ product and its update system pale in comparison to the 'nix support system. I used M$ (past tense) and sold M$ (again, past tense). Please take no offense here, my comment was never intended to suggest that Linux security is somehow less diligent than "other" software varieties. RE your two options above, I regard them as true statements of how M$ works, however they are embedded in the M$ monolithic architecture and this does not (in my experience) work as well as the Linux system. I'm NOT tempted to compare them point for point (which would be kind of pointless, pun intended). From my experience, Linux works better because it is better.

                    Yes, as you note, every software has glitches and I no longer support the M$ system because the number and frequency of such problems was high. My comment: "Be glad this isn't Windoze..." is my advice to everyone. Enjoy the fact that we are able, allowed, and can afford to use Linux. If that sounds like I not being "fair" to the M$ product and system, then I confess, I am biased and proud of it...

                    This current vulnerability will be patched and it will be done quickly and publicly. I'm not sure I would claim that for an M$ problem... We now return control of your system to the program in progress: [/rant]
                    Kubuntu 24.11 64bit under Kernel 6.12.3, Hp Pavilion, 6MB ram. Stay away from all things Google...

                    Comment


                      #40
                      Originally posted by Feathers McGraw View Post
                      OK I'll bite... how would we know if there are old vulnerabilities in Windows without being able to see the code? I guess you've seen it, but it's just a black box to the rest of us.
                      So here's a little bit of truth that a lot of people either don't know or choose to ignore.

                      In the open source world, it's popular to claim "many eyes" help improve overall security. But, recently, the industry has seen two major instances of where this claim is demonstrably false: first Heartbleed, now Shellshock. Yes, the source code is visible for everyone to look at, but who's actually doing that? In the case of OpenSSL and Bash, apparently no one.

                      Here's what happens inside Microsoft. Developers work on code. There are several strict guidelines about safe and unsafe coding -- these came out of the Secure Windows Initiative in the early 2000s. Finished code is given to testers, whose primary job is to try to break stuff. Will they catch everything? Of course not. But they're good at what they do, they know how to think like bad guys, and the tools for finding vulnerable code have steadily improved over time.

                      How many open source projects have the luxury of individuals spending their full time on software quality and assurance?

                      Originally posted by Feathers McGraw View Post
                      I wonder if the BASH vulnerability was discovered because someone thought to have a rummage through some old code after heartbleed was discovered... hopefully all of this will result in more code audits by professionals and hobbyists alike, there are bound to be more bugs to find. Gotta catch 'em all
                      Software testing is not a sexy job. Testers earn less than developers and (in some organizations) testers are viewed with disdain ("All that ******* does is call my {software | baby} ugly"). Testing is also more difficult than coding. Less sex + more work = fewer interested people. The industry needs to work on this perception, and raise the awareness and the reward structure of the QA aspects of software engineering.

                      Comment


                        #41
                        Originally posted by SteveRiley View Post
                        Yes, the source code is visible for everyone to look at, but who's actually doing that? In the case of OpenSSL and Bash, apparently no one.
                        Hang on, wasn't the openssl bug found because Google and that other company did code audits?

                        Thanks for your description of how things work at Microsoft, it's interesting. What's the ratio of developers to testers?

                        I read once that security guys often pick through open source projects to get a few CVEs on their CVs, is that true?
                        samhobbs.co.uk

                        Comment


                          #42
                          So... are dash, ksh or tcsh affected?
                          Registered Linux User 545823

                          Comment


                            #43
                            I am having trouble determining what version of bash I have installed or do I have both somehow?

                            If I do this:
                            Code:
                            lee@lee-asrock:~$ bash --version
                            GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)
                            Copyright (C) 2013 Free Software Foundation, Inc.
                            And if I search with apt:
                            Code:
                            bash/trusty-updates,trusty-security,now 4.3-7ubuntu1.4 amd64 [installed]  GNU Bourne Again SHell

                            Comment


                              #44
                              anika200, your installation, if you haven't disabled auto update, was patched twice, once on the 25th and again on the 26th. Other shells are not affected. Kubuntu, btw, uses dash, not bash. Other apps may call bash so that is why it was quickly patched. That scare has mostly evaporated before the script kiddies or pro hackers could exploit it, although many began trying after the bug was announced. But, it was too late. Those who have done a standard install and disabled auto update are probably still vulnerable, as are those who still use "admin" for a name and "12345" for a password.
                              "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                              – John F. Kennedy, February 26, 1962.

                              Comment


                                #45
                                When I look in synaptic, I see both bash and dash are installed. (and also csh)

                                I read in the press that even after the patches bash is not totally in the clear.
                                Would Kubuntu still work when I remove bash ?
                                When I mark it for removal, I get a warning that it may make Kubuntu unusable.
                                Je suis Charlie, how many more people have to die for religions
                                linux user #447706 on https://linuxcounter.net
                                A good place to start:
                                Topic: Top 20 Kubuntu FAQs & Answers

                                Comment

                                Working...
                                X