Slash Boxes

SoylentNews is people

posted by n1 on Thursday September 25 2014, @01:59AM   Printer-friendly
from the well,-that's-not-ideal dept.

Ars reports that a new bug has been found in GNU Bash allows remote attackers to execute arbitrary code by setting the process trailing strings after function definitions in the values of environment variables.

This bug is reported to be present in RHEL (ver 4 through 7), Fedora, CentOS (ver 5 through 7), Ubuntu (ver 10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian, and even OS X Mavericks.

This bug is exploitable through Apache servers with mod_cgi and mod_cgid loaded, OpenSSH, malicious DHCP servers in a compromised wireless access point through dhclient, as well as the CUPS printing system.

The Ars also includes a simple single liner that will test your setup for the newly found discovery:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will output the following:

 this is a test

While a patched or unaffected system outputs:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

A patch is already out, so administrators are advised to update Bash.

Editor's Update: Security Engineer Tavis Ormandy has said "The bash patch seems incomplete to me, function parsing is still brittle".

$ env X='() { (a)=>\' sh -c "echo date"; cat echo

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3) by No.Limit on Thursday September 25 2014, @05:54PM

    by No.Limit (1965) on Thursday September 25 2014, @05:54PM (#98340)

    I kinda agree with you that non-FOSS software gets bashed too hard over security holes (though with non-FOSS software you have no chance to fix it, while with FOSS software you can. Whether one is more secure than the other is quite hard to tell).

    However, doing a conclusion from just one horrific example just isn't scientific. So no, the 'many eyes' myth isn't busted now.
    It's much rather the case that the 'many eyes' argument isn't even proven in the first place. So we can simply see it as a theory that sounds logical, but isn't necessarily true. And here we have another indicator against it.

    Technically, all we can say is that neither FOSS nor non-FOSS software is secure. But that's not really useful for people that want to compare the security of the two ideologies.

    Starting Score:    1  point
    Moderation   +1  
       Underrated=1, Total=1
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by Hairyfeet on Friday September 26 2014, @12:22AM

    by Hairyfeet (75) <> on Friday September 26 2014, @12:22AM (#98446) Journal

    It doesn't even SOUND logical if you take more than 5 seconds to think about it, yet its trotted out as a fucking FEATURE of Linux and FOSS! Right now the plans for the MIG15 are online, why don't you build me one and have it ready by Thursday....what is that? you don't have the skills nor the manpower? DING DING DING we have a winner johnny!

    Handing somebody like ohh say me or you, whom I assume don't have a masters in CompSci and 15+ years in low level C coding under your belt? Worthless, completely fucking worthless, yet because Joe "I don't know jack shit more than I learnt in that VB class I took 15 years ago" Blow can download the source for bash this somehow magically means that somebody with the skills of a Bruce Schneier has done and continues to do in depth code audits of the same code.....WTF? this is as batshit as saying "Because vampires COULD exist and there are people that disappear forever each year that means vampires DO exist and are turning people"....doesn't matter that we have exactly ZERO evidence this is going on, no proof whatsoever that this is happening, the simple fact that it COULD happen means that it IS happening.

    So I'm sorry but they can waste modpoints all they want I'm throwing a flag, delusional bullshit on the field! We have seen exactly ZERO evidence of "many eyes" happening and a mountain of evidence that many eyes is bullshit, because if it were real why is there major exploitable bugs being found in this software that if many eyes were real should have been vetted a hundred times over...hmm? Remember folks source code isn't magical despite what the more batshit FOSSies would have you believe, it doesn't magically perform code audits on itself, it doesn't magically give you the skils to debug itself AND the things it calls AND anything calling it, in fact we can only show with any certainty ONE and only ONE benefit to having source and that is the fact that IF a piece of software is abandoned AND you can build up a team to support it you CAN keep it afloat. We have evidence of this with KDE 3 so this is something we can say with certainty is possible? many eyes? We have the same amount of evidence for many eyes being real as we do for alien abduction, namely anecdotes and bullshit.

    ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.