Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 6 Oct 2014 01:06:23 -0700
From: Jose R R <jose.r.r@...ztli.com>
To: oss-security@...ts.openwall.com
Subject: Re: Shellshocker - Repository of "Shellshock" Proof of
 Concept Code

> This shows that your two systems are not vulnerable.

> A "vulnerable but non-exploitable" condition doesn't actually exist.
> It only means there's a non-security bug that would have been a security
> bug under different circumstances (which is why it got a CVE ID).

Indeed, Solar, input appreciated.

*all* the bash patches, including the latest ones (bash43-030 released
on Oct. 05, 2014, in this particular instance <
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ >) are included in a:

git clone git://git.savannah.gnu.org/bash.git

And then proceeding to build bash locally...

>> Thus agreeing with Sona:

> This shows the widespread confusion.

There is no more confusion. Snapshot below shows local build of bash
with your one-liner test at the end:

https://pbs.twimg.com/media/BzP42tHCcAEEvHP.png:large

On Sun, Oct 5, 2014 at 7:02 AM, Solar Designer <solar@...nwall.com> wrote:
> On Sun, Oct 05, 2014 at 04:38:15AM -0700, Jose R R wrote:
>> Hanno,
>>
>> < https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >
>>
>> I've downloaded your bash test script and executed it against a Debian
>> 7 (Wheezy) -patched system (upper image)
>>
>> as well as a local Debian Sid (unstable) build of bash where I applied
>> the October 02, 2014, bash43-029 (Bottom image)
>>
>> < https://pbs.twimg.com/media/BzLfeIICQAA30vb.png:large >
>
> This shows that your two systems are not vulnerable.
>
> A "vulnerable but non-exploitable" condition doesn't actually exist.
> It only means there's a non-security bug that would have been a security
> bug under different circumstances (which is why it got a CVE ID).
>
>> Thus agreeing with Sona:
>
> This shows the widespread confusion.
>
>> "but I think what most (non-expert) people
>> need is an explanation for each CVE, a set of test case from some
>> reliable source (preferably a script that runs all test cases and
>> shows vulnerable/not-vulnerable status) and a set of patches. So that
>> they can apply the patches, run the tests and assert that their
>> systems are not vulnerable to shellshock anymore."
>
> You only need the one-liner test from my reply to Sona:
>
> http://www.openwall.com/lists/oss-security/2014/10/05/7
>
> testfunc='() { echo bad; }' bash -c testfunc
>
> (Besides, tests for some of those CVEs can't be made reliable anyway.)
>
> Alexander

Best Professional Regards

-- 
Jose R R
http://www.metztli-it.com
---------------------------------------------------------------------------------------------
NEW Apache OpenOffice 4.1.1! Download for GNU/Linux, Mac OS, Windows.
---------------------------------------------------------------------------------------------
Daylight Saving Time in USA & Canada ends: Sunday, November 02, 2014
---------------------------------------------------------------------------------------------

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.