[arm-allstar] bash patch

David McGough kb4fxc at inttek.net
Sun Sep 28 08:30:00 EST 2014 

Hi,

When, I say no security concern, what I'm meaning is that there is no way, 
in the stock 1.1 release, to exploit this vulnerability.

I agree this -could- be a nasty little bug. But, think about it: How is a 
would-be intruder going to exploit this bug???  In the test sample, listed 
below, the user already must have shell access in order to run the 
test--so, you've gained nothing.

This bash bug does not provide a means for privilege escalation, 
either--unless some sysadmin has *unwisely* configured some bash script 
SUID root.

Anyhow, this issue is fixed in the upcoming 1.2 release. And, it's fine to 
manually patch the 1.1 release. But, do this cautiously to avoid breaking 
the Asterisk installation!


73, David KB4FXC



On Sun, 28 Sep 2014, (KP4TR)Ramon Gonzalez wrote:

> Hello,
> 
> I'm not sure why you say there is no security concerns with the old 
> version of bash. There is, and anyone who can try it out can test 
> themselves.
> 
> The patch for Archlinux to patch this vulnerability is simple for the 
> BBB 1.1 of Archlinux:
> 
> 1. To test vulnerability, copy and paste this:
>      env x='() { :;}; echo vulnerable' bash -c "echo If you see the word 
> vulnerability above, you are"
> 
> 2. To patch it , just update bash:
>      pacman -S bash
> 
> 3. Run step 1, again, and you won't have vulnerability
> 
> 
> 
> On 9/28/2014 2:04 AM, David McGough wrote:
> > Hi Mark,
> >
> > We've already got bash updated in the upcoming 1.2 release. But, for those
> > running a "stock" 1.1, there are NO current security concerns with the old
> > version of bash. By that, I mean there is no way to use bash to exploit
> > the system.
> >
> > The 1.2 release fixes s long list of issues that were present in 1.1. So,
> > keep an eye out for this update!
> >
> >
> > 73, David KB4FXC
> >
> >
> > On Sun, 28 Sep 2014, Mark Herson, N2MH wrote:
> >
> >> Hello to the group!
> >>
> >> This past week, Dave Cameron, VE7LTD, sent to the IRLP group information
> >> about a problem with bash along with various fixes to this problem
> >> depending on distro. Will bash be fixed in the new release of AllStar BBB
> >> code?
> >>
> >> 73, Mark, N2MH
> >>
> >>

More information about the arm-allstar mailing list