Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20141005134415.GA22543@openwall.com>
Date: Sun, 5 Oct 2014 17:44:15 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code

On Sun, Oct 05, 2014 at 10:22:06AM +0000, Sona Sarmadi wrote:
> I think what most (non-expert) people need is an explanation for each CVE

No.  Most non-expert people only need to know that they need either the
prefix/suffix patch included or function imports disabled, preferably in
a security update from their distro vendor.  This makes the individual
parser bugs, which got CVEs assigned, irrelevant.

Here's the relevant test:

testfunc='() { echo bad; }' bash -c testfunc

Here's how it works on a patched system:

$ testfunc='() { echo bad; }' bash -c testfunc
bash: testfunc: command not found

and on a (most likely) vulnerable system:

$ testfunc='() { echo bad; }' bash -c testfunc
bad

(I wrote "most likely" because with all CVEs patched the latter system
is not actually vulnerable to the currently known parser bugs, but you
should want to protect its parser anyway.  So such systems need to be
updated regardless of whether they're vulnerable to any of the currently
assigned CVEs or not.)

> Some questions:
>  1) bash43-027   patch  exported function namespace change,  Florian's mitigation patch that shields the parser from untrusted inputs". This does not solve any specific CVE, but mitigates all CVEs, is this correct?

Yes.  It's the most important one of the recent upstream bash patches.

> 2) Do we need to apply *all* of these individual bash patches (i.e. bash43-025 through bash43-029)? Even  bash43-027 which is not solving any specific CVE?  Or should we apply 27 or all the others?

If you choose to build bash from source (why?) rather than simply use
your distro's security update, then it's best to apply all of the
upstream patches (currently, bash43-001 through bash43-029).  bash43-027
is the most important one, but these patches are intended to be applied
one after another, so skipping any of the lower-numbered patches is
unsafe (may result in a patch failing to apply or applying or working
improperly), and there's no good reason for you to skip any upstream
patches anyway.

> 3) Do you have a script or summary of all tests in one place like  http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 or https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck ? Or maybe these are good enough & reliable? 

You only need the one-liner test above.  Running tests for the various
CVEs is a distraction (it's moderately useful e.g. for a distro vendor,
to see what non-security bugs may need to be patched, but mostly not for
an end-user or sysadmin).

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.