Story 2014-09-25 2SWX Vulnerability in Bash Shell widespread and serious

Vulnerability in Bash Shell widespread and serious

by
in security on (#2SWX)
Upgrade now, if you can. A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems - and, thanks to their ubiquity, the internet at large.

From the Register:
It lands countless websites, servers, PCs, OS X Macs, various home routers, and more, in danger of hijacking by hackers.

The vulnerability is present in Bash up to and including version 4.3, and was discovered by Stephane Chazelas. It puts Apache web servers, in particular, at risk of compromise: CGI scripts that use or invoke Bash in any way - including any child processes spawned by the scripts - are vulnerable to remote-code injection. OpenSSH and some DHCP clients are also affected on machines that use Bash.
Now is also a good time to wipe your servers and reinstall Minix or Plan9 as a precaution. ;)
Reply 15 comments

Incomplete patch (Score: 1)

by seriously@pipedot.org on 2014-09-25 15:19 (#2SWZ)

Note that the patch issued yesterday fixes only part of the issue and some vulnerabilities remain, so patch now but be ready to patch again soon ;-)

Also, according to the bug report, the remaining problems also impact zsh. (edit: this has been refuted since then)

Some more detailed info on the general issue can be found at Red Hat's security blog

Re: Incomplete patch (Score: 1)

by zafiro17@pipedot.org on 2014-09-25 11:06 (#2SX2)

Interesting - I didn't know about the zsh aspect of it and almost put in a wisecrack about upgrading to zsh to stay safe - glad I didn't!

BTW, if anyone knows a good tutorial for the zsh I'd be interested. There are lots of blogs but no great, single resource other than the manual, which is many pages too long.

Re: Incomplete patch (Score: 2, Informative)

by seriously@pipedot.org on 2014-09-25 12:32 (#2SXA)

Also, according to the bug report, the remaining problems also impact zsh.
This has been refuted in the same bug report, so zsh is safe from this issue. You can consider the upgrade ;)

mksh workalike (Score: 2, Interesting)

by evilviper@pipedot.org on 2014-09-25 11:44 (#2SX5)

If you don't need quite all the bash-isms, mksh is a great lightweight replacement, which is almost entirely drop-in compatible:

* http://mirbsd.de/mksh

I prefer mksh primarily because bash goes horribly brain-dead when you attempt line-editing on command lines that wrap-around to the next line. Your bash session becomes practically unusable after you hit that limit (which I do, often) and it first wigs-out:

* http://i.imgur.com/Vo2BQq2.png

It doesn't hurt that the mksh binary is 3.4X smaller, starts-up faster, is more responsive, can be statically linked, and doesn't hold open 28 files, all of which matters a lot in a minimal system recovery type situation.

Re: mksh workalike (Score: 1)

by zafiro17@pipedot.org on 2014-09-25 11:54 (#2SX6)

Yeah, I've seen that freak-out too, and it's annoying. Are you running term on blackbox, by the way? How wonderfully oldschool (and non-UTF). If Aterm had only gotten utf support I'd still be using it now.

Re: mksh workalike (Score: 1)

by evilviper@pipedot.org on 2014-09-25 15:09 (#2SX8)

Are you running [a]term on blackbox, by the way?
That screen shot is quite old... These days I run urxvt on Fluxbox! Completely different...
If Aterm had only gotten utf support I'd still be using it now.
It did. Aterm was merged into, and deprecated in favor of, urxvt / rxvt-unicode:

* https://en.wikipedia.org/wiki/Rxvt-unicode
* http://www.afterstep.org/news.php?show=2008

Works great for me, just like good old aterm plus some new features like anti-aliased and scalable freetype fonts, resize on-the-fly with escape sequences, etc. Seems to be in most repos. I'm glad it's still going, because the clumsiness of xterm is even more frustrating than bash.

Re: mksh workalike (Score: 5, Informative)

by eliphas@pipedot.org on 2014-09-25 12:52 (#2SXF)

[...]because bash goes horribly brain-dead when you attempt line-editing on command lines that wrap-around to the next line. Your bash session becomes practically unusable after you hit that limit (which I do, often)[...]
Hate that too. But for you guys that happen to know/use vi (who doesn't :D) navigation with HJKL and commands, like:
3w - to go to third word from current position
dw - to delete word
c4f. - to replace all text from current position to the fourth ". dot" character (try that with other editing mode!), etc...

Put "set editing-mode vi" in /etc/inputrc (a lot of CLI programs use readline and will read that) or "set -o vi" for your current bash shell or bashrc.
VI mode on command line is a bliss, and "set -o vi" is the first thing I put on my .rc files where I first login on a new server. Bummer that some minimalistic shells like busybox's (only sh there) do not have that :(

Re: mksh workalike (Score: 2)

by seriously@pipedot.org on 2014-09-25 15:18 (#2SXM)

Oh my ... d$, yw, p, u, it all works !! that's insane (as in vi: press "ESC" and "i" to switch modes)

I never even had heard of that and I've been using it for years. I owe you a beer and probably some new hours of life expectancy too :-)

edit: ... "edit" ? is that an awesome new feature of pipedot for logged-in users?

Re: mksh workalike (Score: 2, Informative)

by evilviper@pipedot.org on 2014-09-25 22:05 (#2SY2)

FYI, editing works more like deleting your comment... It will revert any moderation your comment has gotten, and your comment will show up highlighted like it is a "new" comment in the discussion.

Re: mksh workalike (Score: 0)

by Anonymous Coward on 2014-09-26 05:34 (#2SYE)

That seems strange. Wont that disturb the discussion? What happens to replies?

Re: mksh workalike (Score: 1)

by bryan@pipedot.org on 2014-09-26 08:02 (#2SYH)

Editing a comment does the following:
  • Removes any positive moderation
  • Resets the edit time of the comment (shows up blue again)
It does not delete the comment or interfere with any of the replies.

Re: mksh workalike (Score: 0)

by Anonymous Coward on 2014-09-27 01:43 (#2SZ7)

It there a fuse? Like to stop evil people from revising history that makes them look bad later after they get caught? Does the post get an obvious "edited" (thus tainted) badge? Maybe with the original versions available if you click on that badge?

Re: mksh workalike (Score: 0)

by Anonymous Coward on 2014-09-27 01:44 (#2SZ8)

bug: posting as Anonymous Coward lets me then edit all other Anon Coward posts!

Re: mksh workalike (Score: 1)

by zafiro17@pipedot.org on 2014-09-28 09:03 (#2SZV)

Hmm. I don't know the code but suspect the fix will involve ACs being able to edit their own posts ...

Re: mksh workalike (Score: 1)

by computermachine@pipedot.org on 2014-09-25 19:24 (#2SXR)

Put "set editing-mode vi" in /etc/inputrc (a lot of CLI programs use readline and will read that) or "set -o vi" for your current bash shell or bashrc
Thanks! This is great!