[ALUG] Critical bug in bash: remote code execution

Thu Sep 25 17:40:23 EAT 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It is advised that you update your systems IMMEDIATELY as this is already
being exploited in the wild.
Most linux distributions already have patched versions in their repositories.

Note: this bug affect OSX as well. If you have OSX machines, you'll need
to recompile bash with the patch and reinstall it.

- - - Chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUJCk5AAoJEItN0WshMzvbylYP/1IfH5NpT1/j9n/iFuSOD2zC
5VCDqQjAlfSh61D7ubIvy25OCr26IeQdVyQs+SZ/+5twb6CM9vQbd0mJcOqsTDjm
BZ79Wj1rVBi0eC9JOgKMxwFfoNEPbcSpMhcVuJZyArrSjCqL/4o5dKYC6wIQK8gS
bS1NYKVlQmiYdItGifFvRVMy9hovKlGlcI2swiCyGl9IkgKVMbxDUhBP/WVaePP4
24XG7GltvoHPb/Yr/YnLixB23ul5Bkg+aGXrWWAxycbFVJc+qIXKjecrNBPvyUvY
5Ha2As/JSv3lxS036O5in2RJKl0E4LhOPVKe6YDFUU+By4Qn1n3vr9qv/fYMggMn
Kqu5aem08oVsjiOwIzaLrFcWdeJqwzzIUn9pk4/ft2eOt0TL7tbASQbjyhwXiJ0o
s2+fHI2broL4pBNawcvZkyWpT4YYIs+/k8KYsKWv4BSCMfNVUMWMuLFPBPZG526R
0XRyrK1oO2m067w8HrzrHF9Ee4I7Yhi1lCkIDZ6iH7PY0e7Bn3EdFlx9Tc6viBow
ExZNuicTo78DUu2XPeWGC9B9M43AZmAOPKfjqgkUXVTiV9CoaYSmjcoCEPQI+Nr6
mZKAfSq3EObxZhQ/SDDPsekfgX5VMB5OO6lrywbMzrfo+oWcIpWCZs30liwLWP4n
b1lFxf4EMx4itLxkLI3W
=2Bb8
-----END PGP SIGNATURE-----

On Thu, Sep 25, 2014 at 5:33 PM, Andreas Tauscher via Linux
<linux at lists.habari.co.tz> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> A critical bug [1] allows to execute any code. Anything an attacker
> has to do is setting a special environment variable.
> All major distributions have already released updates.
>
> To take advantage of the bug access to bash is needed. For example if
> the ssh access is limited this limitations can be bypassed.
> Also webservers using bash scripts as CGI are vulnerable.
>
> Form the RedHat blog [2] is this short script to test if your version
> of bash is vulnerable:
> env x='() { :;}; echo OOPS' bash -c /bin/true
>
> How is this working:
> The attacker is defining within the variable x a function. Ok, nothing
> serious. But bash does after this definition not stop to parse code.
>
> On a vulnerable bash you will get the output OOPS
> A fixed bash will quit with an error:
> bash: warning: x: ignoring function definition attempt
> bash: error importing function definition for `x'
>
> Andreas
>
> [1] https://access.redhat.com/security/cve/CVE-2014-6271
> [2]
> http://community.redhat.com/blog/2014/09/critical-bash-security-vulnerability-update-your-systems-today/
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJUJCelAAoJEEeUknxlyOoQ0FYP/2ReLuksNM6bo4tpacxxN4P6
> RYCsJfF2GVQFhMyrP8cCqh+m1jSYO2aCaTMtk4GU5oKI187X878suA9/7YoOW1mm
> nw21vYZYF9mRNzF8zmTfwZ4+7ofRi8H1NlfcC7HQNWjeUr8g1oDdICFGYGg9OUFA
> W4JzBHYvLyPzLoAcKHBj6DcBC18h/SBGdUGESx6Iz20+zkCOXbcGyCqBg1d3ifOM
> fe/GIRM0K7ZsDa+ZPlUQE5Qyfq2UrCE9k+QFx6xc3nxn9DKgCTTMvckIZ9XYZknj
> Oh9fl+Z2/TqYU40ZIc0A3fSEbfqYY6EgRXnYryA8Tzy4wmW3tcVdLWgg08sb6Zqb
> /oikovYAOEDQEvaz7N6oa/ELpS4mgA8J05f+e4s2xe1EtnEEGaYmfBAX0v6HsPU9
> vsT+u25cnC49EAbUOJx85VT/7xN0GLUnkxbebHtLbqw/gEcbnvC1CuY1/VfyiNUr
> khFFqw/VRoh7edv0pZkgCowx2wZoiWdsv/FM6646VGgMMw3DH3LGFo49hANjcuRG
> lYWxITV7U0DlzAjkxmgsPEiqsf42uEZsoFw6NgRzlEJTP7rz+Jd9L5A0ME6hISTg
> EHZahtPq4bo8mcj9hybpg1O8dS0K8qin58OTOWKGXykgUQi6nTh9Go4vezOuAjpJ
> 4nOhTABCv1c4lYno5cbm
> =uFFe
> -----END PGP SIGNATURE-----
> _______________________________________________
> The Arusha Linux User Group: http://unix.or.tz
> Linux mailing list
> Linux at lists.habari.co.tz
> http://lists.habari.co.tz/cgi-bin/mailman/listinfo/linux
>
> The Arusha LUG mailing list is generously hosted by Habari Node Ltd: http://www.habari.co.tz/
>
> The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.