bash bug / shell shock now fixed on Raspbian

[aoakley]

The well-publicised vulnerability in bash appears to have been fixed in Raspbian some time in the last couple of hours (after 9am, before 1pm Thu 25 Sept 2014 BST). Thank-you to the Raspbian, Foundation and/or other staff that have done this so quickly.

If your Pi is connectable from the outside world, you should update/upgrade urgently.

http://www.theregister.co.uk/2014/09/24 ... hell_vuln/

aoakley@khepri:~$ env X="() { :;} ; echo busted" `which bash` -c "echo completed"
busted
completed

aoakley@khepri:~$ sudo apt-get update && sudo apt-get -y dist-upgrade
...
The following packages will be upgraded:
bash libnss3
...

aoakley@khepri:~$ env X="() { :;} ; echo busted" `which bash` -c "echo completed"
/bin/bash: warning: X: ignoring function definition attempt
/bin/bash: error importing function definition for `X'
completed

[Dedalus]

Great news. Thanks for posting.

[jojopi]

The well-publicised vulnerability in bash appears to have been fixed in Raspbian some time in the last couple of hours (after 9am, before 1pm Thu 25 Sept 2014 BST).

The fixed package was available by the end of Wednesday (UTC) from at least some mirrors.

If your Pi is connectable from the outside world, you should update/upgrade urgently.

If your Pi gives bash unsanitised environment variables from the internet, in contexts where the remote user is not trusted to run arbitrary commands, I suggest disconnecting it to fix that issue and audit your code.

[Joe Schmoe]

Yeah, I don't get this "bug" at all. Which probably means that it's just never been adequately explained to me.

But, here's my understanding of it. What's the difference between:

Code: Select all

myfunc() { do something bad when myfunc gets called }

and:

Code: Select all

myfunc() { Only do good things here }; do Something Bad here

The main difference is that in the first method, it just doesn't happen right away.

[PeterO]

BBC journalists manage to get things wrong as normal....

"Bash - which stands for Bourne-Again SHell - is a command prompt on many Unix computers. Unix is an operating system on which many others are built, such as Linux and Mac OS."

"a command prompt"... It's an interpreter not a prompt !

And someone who writes "Linux is built on Unix" doesn't understand the history of the relationship.

PeterO

[RaTTuS]

http://www.troyhunt.com/2014/09/everyth ... about.html

[diederik]

aoakley@khepri:~$ env X="() { :;} ; echo busted" `which bash` -c "echo completed"

That will test whether bash is vulnerable.

To test whether you SYSTEM is vulnerable do

Code: Select all

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"

The difference is significant, since dash is the default shell (= /bin/sh) on Debian systems since Squeeze (thus also wheezy)

http://www.troyhunt.com/2014/09/everyth ... about.html

Interesting read, thanks

[Richard-TX]

I have known about the bash bug for quite some time. I dismissed it as yet another reason to not use bash as a scripting shell. For more years than I care to admit to, I have insisted at work that everyone write all shell scripts in /bin/sh; if for no other reason than portability. Now I can add security to that list of reasons.

I once went on a job site to do some consulting. I was shown a very elaborate script written in ksh. My comment was, "I see that the author went out of his way to write a script that could only be executed in korn shell." The response was "I hear a lot of that."

Anyway, the bottom line is that my rule to write all shell scripts in /bin/sh seems to be a good one. Not that /bin/sh is totally secure but it seems better than the alternatives.

Richard
Somehow "I told you so" just doesn't quite say it.

[PeterO]

I have known about the bash bug for quite some time..

And you didn't tell anyone ?
PeterO

[ShiftPlusOne]

Probably worth mentioning that it's not fixed in jessie yet.

[rpdom]

Probably worth mentioning that it's not fixed in jessie yet.

jessie/testing doesn't get security updates like wheezy/stable does. Instead the updates go straight into (Debian) sid/unstable and then trickle down to jessie within a few days.

[shellshock]

Seeing as this is the first search link that comes up for 'raspberry pi shellshock' for me I think its worth mentioning that to update the pi users can open a terminal and type sudo apt-get update and this should install all the packages to fix this bug.
(Correct me if I'm wrong about that, only new to this.)
ty

[DougieLawson]

This is hardly a big deal for a stand-alone Pi sitting on a NAT'd LAN with one or two users and no shell access from the public internet for random users.

The BBC article was shouting "#weareallgoingtodie!" over something that's somewhat less than exciting and mostly a trivial thing discovered by a security researcher with too much time on his hands.

[plugwash]

I've seen reports on irc that +deb7u1 fixes the initial bug but there is a variant that it doesn't fix

[PeterO]

Seeing as this is the first search link that comes up for 'raspberry pi shellshock' for me I think its worth mentioning that to update the pi users can open a terminal and type sudo apt-get update and this should install all the packages to fix this bug.
(Correct me if I'm wrong about that, only new to this.)
ty

The solution was given in the first post in the thread......
PeterO

[DWomack]

Should

sudo rpi-update

fix this? It does not here.


Dennis

[ShiftPlusOne]

Nope, rpi-update is for rpi specific stuff like the kernel and firmware.

[DWomack]

I ran

sudo apt-get update && sudo apt-get -y dist-upgrade

It took a long time to run, supposedly fixed a lot of stuff.

Ran the test and shell shock problem is fixed.

Thanks


Dennis

[cyrano]

The patches are not sufficient. A new CVE has been given:
http://web.nvd.nist.gov/view/vuln/detai ... -2014-7169

[SiriusHardware]

What if we don't want to fully upgrade the distro, just fix the bash bug?

My understanding is that

Code: Select all

dpkg -s bash | grep Version

...will show which version of Bash is currently installed.

What I don't know is which is the latest / most recent 'bad' version in Raspbian, and which is the earliest 'good' version.

As far as I know

Code: Select all

sudo apt-get update && sudo apt-get install bash

...will install the latest available version of bash over the currently installed version, and then doing this again

Code: Select all

dpkg -s bash | grep Version

..should confirm the new / current version of bash?

After doing this on 25th September 2014 the output from the above command is

Code: Select all

Version: 4.2+dfsg-0.1+deb7u1

Final edit: after a couple of patch-ups, the final fully fixed version now available from the repos for Raspian is

Code: Select all

Version: 4.2+dfsg-0.1+deb7u3

[diederik]

What if we don't want to fully upgrade the distro, just fix the bash bug?

aptitude safe-upgrade bash

which is the earliest 'good' version.

for wheezy: 4.2+dfsg-0.1+deb7u1
for jessie: 4.3-9.1

sudo apt-get update && sudo apt-get install bash

That works too.

After doing this on 25th September 2014 the output from the above command is

Code: Select all

Version: 4.2+dfsg-0.1+deb7u1

So you have a version which fixed the first reported issue, but as cyrano reported, it's not all that needs to be fixed.

[Tarcas]

Seeing as this is the first search link that comes up for 'raspberry pi shellshock' for me I think its worth mentioning that to update the pi users can open a terminal and type sudo apt-get update and this should install all the packages to fix this bug.
(Correct me if I'm wrong about that, only new to this.)
ty

Sorry, you missed a step. apt-get update only updates the list of available packages. After that's done, either run "apt-get upgrade" to upgrade all packages that you have installed for which newer versions are available, or "apt-get install bash" in order to install the latest version of bash, which will replace your currently-installed version.

It's good practice to periodically update your system anyway with: apt-get update; apt-get upgrade

[plugwash]

For the most up to date fix (the intial fix was incomplete) you need version 4.2+dfsg-0.1+deb7u3 which should have hit the raspbian wheezy repos sometime between midnight and 1AM UK time.

Jessie is still vulnerable to the variant attack right now, hopefully it should be fixed soon.

[sejtam]

I ran

# apt-get update
# apt-get upgrade

but my bash is still vulnerable.

# cat /etc/debian_version
7.1

# dpkg -s bash | grep Version
Version: 4.2+dfsg-0.1

root@domoticzpi:/etc/apt# apt-get update
Hit http://raspberrypi.collabora.com wheezy Release.gpg
Hit http://distribution-us.hexxeh.net wheezy Release.gpg
Hit http://raspberrypi.collabora.com wheezy Release
Hit http://distribution-us.hexxeh.net wheezy Release
Hit http://archive.raspberrypi.org wheezy Release.gpg
Hit http://raspberrypi.collabora.com wheezy/rpi armhf Packages
Hit http://archive.raspberrypi.org wheezy Release
Hit http://distribution-us.hexxeh.net wheezy/main armhf Packages
Hit http://archive.raspberrypi.org wheezy/main armhf Packages
Hit http://distribution-us.hexxeh.net wheezy/contrib armhf Packages
Hit http://distribution-us.hexxeh.net wheezy/non-free armhf Packages
Hit http://distribution-us.hexxeh.net wheezy/rpi armhf Packages
Ign http://raspberrypi.collabora.com wheezy/rpi Translation-en_SG
Ign http://archive.raspberrypi.org wheezy/main Translation-en_SG
Ign http://raspberrypi.collabora.com wheezy/rpi Translation-en
Ign http://archive.raspberrypi.org wheezy/main Translation-en
Ign http://distribution-us.hexxeh.net wheezy/contrib Translation-en_SG
Ign http://distribution-us.hexxeh.net wheezy/contrib Translation-en
Ign http://distribution-us.hexxeh.net wheezy/main Translation-en_SG
Ign http://distribution-us.hexxeh.net wheezy/main Translation-en
Ign http://distribution-us.hexxeh.net wheezy/non-free Translation-en_SG
Ign http://distribution-us.hexxeh.net wheezy/non-free Translation-en
Ign http://distribution-us.hexxeh.net wheezy/rpi Translation-en_SG
Ign http://distribution-us.hexxeh.net wheezy/rpi Translation-en
Reading package lists... Done
root@domoticzpi:/etc/apt# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@domoticzpi:/etc/apt# apt-get install bash
Reading package lists... Done
Building dependency tree
Reading state information... Done
bash is already the newest version.
The following package was automatically installed and is no longer required:
libelf1
Use 'apt-get autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.



What am I missing?

[jamesh]

I have known about the bash bug for quite some time..

And you didn't tell anyone ?
PeterO

Indeed. One of the worst security bugs ever (10 out of 10), in the code for 22 years, and you sat on it? The original report for this was 09/24/2014. if anyone knew about this from before that, well, not reporting it was practically criminal. Are you sure you knew about it?