[arm-allstar] bash patch

(KP4TR)Ramon Gonzalez kp4tr.ramon at gmail.com
Sun Sep 28 08:50:24 EST 2014 

The patch is only for bash. I compare this vulnerability to SQL and XSS  
injection. When you can make any application by injecting code into it, 
and making it innocently execute it behind the scenes , it is an issue, 
even though it may appear to not be a big deal.

But then a weak root password is worse!


On 9/28/2014 9:30 AM, David McGough wrote:
> Hi,
>
> When, I say no security concern, what I'm meaning is that there is no way,
> in the stock 1.1 release, to exploit this vulnerability.
>
> I agree this -could- be a nasty little bug. But, think about it: How is a
> would-be intruder going to exploit this bug???  In the test sample, listed
> below, the user already must have shell access in order to run the
> test--so, you've gained nothing.
>
> This bash bug does not provide a means for privilege escalation,
> either--unless some sysadmin has *unwisely* configured some bash script
> SUID root.
>
> Anyhow, this issue is fixed in the upcoming 1.2 release. And, it's fine to
> manually patch the 1.1 release. But, do this cautiously to avoid breaking
> the Asterisk installation!
>
>
> 73, David KB4FXC
>
>
>
> On Sun, 28 Sep 2014, (KP4TR)Ramon Gonzalez wrote:
>
>> Hello,
>>
>> I'm not sure why you say there is no security concerns with the old
>> version of bash. There is, and anyone who can try it out can test
>> themselves.
>>
>> The patch for Archlinux to patch this vulnerability is simple for the
>> BBB 1.1 of Archlinux:
>>
>> 1. To test vulnerability, copy and paste this:
>>       env x='() { :;}; echo vulnerable' bash -c "echo If you see the word
>> vulnerability above, you are"
>>
>> 2. To patch it , just update bash:
>>       pacman -S bash
>>
>> 3. Run step 1, again, and you won't have vulnerability
>>
>>
>>
>> On 9/28/2014 2:04 AM, David McGough wrote:
>>> Hi Mark,
>>>
>>> We've already got bash updated in the upcoming 1.2 release. But, for those
>>> running a "stock" 1.1, there are NO current security concerns with the old
>>> version of bash. By that, I mean there is no way to use bash to exploit
>>> the system.
>>>
>>> The 1.2 release fixes s long list of issues that were present in 1.1. So,
>>> keep an eye out for this update!
>>>
>>>
>>> 73, David KB4FXC
>>>
>>>
>>> On Sun, 28 Sep 2014, Mark Herson, N2MH wrote:
>>>
>>>> Hello to the group!
>>>>
>>>> This past week, Dave Cameron, VE7LTD, sent to the IRLP group information
>>>> about a problem with bash along with various fixes to this problem
>>>> depending on distro. Will bash be fixed in the new release of AllStar BBB
>>>> code?
>>>>
>>>> 73, Mark, N2MH
>>>>
>>>>
> _______________________________________________
>
> arm-allstar mailing list
> arm-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB web page - http://www.crompton.com/hamradio/BeagleBoneBlackAllstar/
>

More information about the arm-allstar mailing list