Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 6 Oct 2014 01:06:23 -0700
From: Jose R R <jose.r.r@...ztli.com>
To: oss-security@...ts.openwall.com
Subject: Re: Shellshocker - Repository of "Shellshock" Proof of
 Concept Code

> This shows that your two systems are not vulnerable.

> A "vulnerable but non-exploitable" condition doesn't actually exist.
> It only means there's a non-security bug that would have been a security
> bug under different circumstances (which is why it got a CVE ID).

Indeed, Solar, input appreciated.

*all* the bash patches, including the latest ones (bash43-030 released
on Oct. 05, 2014, in this particular instance <
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ >) are included in a:

git clone git://git.savannah.gnu.org/bash.git

And then proceeding to build bash locally...

>> Thus agreeing with Sona:

> This shows the widespread confusion.

There is no more confusion. Snapshot below shows local build of bash
with your one-liner test at the end:

https://pbs.twimg.com/media/BzP42tHCcAEEvHP.png:large

On Sun, Oct 5, 2014 at 7:02 AM, Solar Designer <solar@...nwall.com> wrote:
> On Sun, Oct 05, 2014 at 04:38:15AM -0700, Jose R R wrote:
>> Hanno,
>>
>> < https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >
>>
>> I've downloaded your bash test script and executed it against a Debian
>> 7 (Wheezy) -patched system (upper image)
>>
>> as well as a local Debian Sid (unstable) build of bash where I applied
>> the October 02, 2014, bash43-029 (Bottom image)
>>
>> < https://pbs.twimg.com/media/BzLfeIICQAA30vb.png:large >
>
> This shows that your two systems are not vulnerable.
>
> A "vulnerable but non-exploitable" condition doesn't actually exist.
> It only means there's a non-security bug that would have been a security
> bug under different circumstances (which is why it got a CVE ID).
>
>> Thus agreeing with Sona:
>
> This shows the widespread confusion.
>
>> "but I think what most (non-expert) people
>> need is an explanation for each CVE, a set of test case from some
>> reliable source (preferably a script that runs all test cases and
>> shows vulnerable/not-vulnerable status) and a set of patches. So that
>> they can apply the patches, run the tests and assert that their
>> systems are not vulnerable to shellshock anymore."
>
> You only need the one-liner test from my reply to Sona:
>
> http://www.openwall.com/lists/oss-security/2014/10/05/7
>
> testfunc='() { echo bad; }' bash -c testfunc
>
> (Besides, tests for some of those CVEs can't be made reliable anyway.)
>
> Alexander

Best Professional Regards

-- 
Jose R R
http://www.metztli-it.com
---------------------------------------------------------------------------------------------
NEW Apache OpenOffice 4.1.1! Download for GNU/Linux, Mac OS, Windows.
---------------------------------------------------------------------------------------------
Daylight Saving Time in USA & Canada ends: Sunday, November 02, 2014
---------------------------------------------------------------------------------------------

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ