Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 5 Oct 2014 17:44:15 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code

On Sun, Oct 05, 2014 at 10:22:06AM +0000, Sona Sarmadi wrote:
> I think what most (non-expert) people need is an explanation for each CVE

No.  Most non-expert people only need to know that they need either the
prefix/suffix patch included or function imports disabled, preferably in
a security update from their distro vendor.  This makes the individual
parser bugs, which got CVEs assigned, irrelevant.

Here's the relevant test:

testfunc='() { echo bad; }' bash -c testfunc

Here's how it works on a patched system:

$ testfunc='() { echo bad; }' bash -c testfunc
bash: testfunc: command not found

and on a (most likely) vulnerable system:

$ testfunc='() { echo bad; }' bash -c testfunc
bad

(I wrote "most likely" because with all CVEs patched the latter system
is not actually vulnerable to the currently known parser bugs, but you
should want to protect its parser anyway.  So such systems need to be
updated regardless of whether they're vulnerable to any of the currently
assigned CVEs or not.)

> Some questions:
>  1) bash43-027   patch  exported function namespace change,  Florian's mitigation patch that shields the parser from untrusted inputs". This does not solve any specific CVE, but mitigates all CVEs, is this correct?

Yes.  It's the most important one of the recent upstream bash patches.

> 2) Do we need to apply *all* of these individual bash patches (i.e. bash43-025 through bash43-029)? Even  bash43-027 which is not solving any specific CVE?  Or should we apply 27 or all the others?

If you choose to build bash from source (why?) rather than simply use
your distro's security update, then it's best to apply all of the
upstream patches (currently, bash43-001 through bash43-029).  bash43-027
is the most important one, but these patches are intended to be applied
one after another, so skipping any of the lower-numbered patches is
unsafe (may result in a patch failing to apply or applying or working
improperly), and there's no good reason for you to skip any upstream
patches anyway.

> 3) Do you have a script or summary of all tests in one place like  http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 or https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck ? Or maybe these are good enough & reliable? 

You only need the one-liner test above.  Running tests for the various
CVEs is a distraction (it's moderately useful e.g. for a distro vendor,
to see what non-security bugs may need to be patched, but mostly not for
an end-user or sysadmin).

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ