oss-sec mailing list archives
Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code
From: Solar Designer <solar () openwall com>
Date: Sun, 5 Oct 2014 17:44:15 +0400
On Sun, Oct 05, 2014 at 10:22:06AM +0000, Sona Sarmadi wrote:
I think what most (non-expert) people need is an explanation for each CVE
No. Most non-expert people only need to know that they need either the prefix/suffix patch included or function imports disabled, preferably in a security update from their distro vendor. This makes the individual parser bugs, which got CVEs assigned, irrelevant. Here's the relevant test: testfunc='() { echo bad; }' bash -c testfunc Here's how it works on a patched system: $ testfunc='() { echo bad; }' bash -c testfunc bash: testfunc: command not found and on a (most likely) vulnerable system: $ testfunc='() { echo bad; }' bash -c testfunc bad (I wrote "most likely" because with all CVEs patched the latter system is not actually vulnerable to the currently known parser bugs, but you should want to protect its parser anyway. So such systems need to be updated regardless of whether they're vulnerable to any of the currently assigned CVEs or not.)
Some questions: 1) bash43-027 patch exported function namespace change, Florian's mitigation patch that shields the parser from untrusted inputs". This does not solve any specific CVE, but mitigates all CVEs, is this correct?
Yes. It's the most important one of the recent upstream bash patches.
2) Do we need to apply *all* of these individual bash patches (i.e. bash43-025 through bash43-029)? Even bash43-027 which is not solving any specific CVE? Or should we apply 27 or all the others?
If you choose to build bash from source (why?) rather than simply use your distro's security update, then it's best to apply all of the upstream patches (currently, bash43-001 through bash43-029). bash43-027 is the most important one, but these patches are intended to be applied one after another, so skipping any of the lower-numbered patches is unsafe (may result in a patch failing to apply or applying or working improperly), and there's no good reason for you to skip any upstream patches anyway.
3) Do you have a script or summary of all tests in one place like http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 or https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck ? Or maybe these are good enough & reliable?
You only need the one-liner test above. Running tests for the various CVEs is a distraction (it's moderately useful e.g. for a distro vendor, to see what non-security bugs may need to be patched, but mostly not for an end-user or sysadmin). Alexander
Current thread:
- Shellshocker - Repository of "Shellshock" Proof of Concept Code Jose R R (Oct 04)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Michal Zalewski (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Hanno Böck (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Jose R R (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Jose R R (Oct 06)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Michal Zalewski (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code David A. Wheeler (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Rob Fuller (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code David A. Wheeler (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Kurt Seifried (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 06)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 06)