oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code

From: Solar Designer <solar () openwall com>
Date: Sun, 5 Oct 2014 20:54:14 +0400
Sona,

Oh, I didn't realize you actually are with a distro vendor:

"Enea Linux is a Yocto-based Linux distribution targeted for
communication and networking solutions."

Then you do in fact have a valid reason to test for and patch the
individual bugs even when they're no longer security relevant.  My
advice is that if you feel you're a "non-expert" in bash bugs, you
simply apply all bash upstream's patches, and keep adding them to your
package of bash as more upstream patches become available.  You do not
need to issue security advisories (or whatever you normally do when
fixing security vulnerabilities) each time: it's sufficient to do that
once, when you've just included the prefix/suffix patch (bash43-027 or
equivalent).  Once you have bash43-027, further patches to bash are no
different than e.g. the many patches that are issued for VIM (a project
that tends to release hundreds of post-release patches, most of them
non-security).

I hope this helps.

Alexander

On Sun, Oct 05, 2014 at 05:44:15PM +0400, Solar Designer wrote:

On Sun, Oct 05, 2014 at 10:22:06AM +0000, Sona Sarmadi wrote:

I think what most (non-expert) people need is an explanation for each CVE


No.  Most non-expert people only need to know that they need either the
prefix/suffix patch included or function imports disabled, preferably in
a security update from their distro vendor.  This makes the individual
parser bugs, which got CVEs assigned, irrelevant.

[...]

2) Do we need to apply *all* of these individual bash patches (i.e. bash43-025 through bash43-029)? Even  
bash43-027 which is not solving any specific CVE?  Or should we apply 27 or all the others?


If you choose to build bash from source (why?) rather than simply use
your distro's security update, [...]

[...]

3) Do you have a script or summary of all tests in one place like  
http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 or 
https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck ? Or maybe these are good enough & reliable? 


You only need the one-liner test above.  Running tests for the various
CVEs is a distraction (it's moderately useful e.g. for a distro vendor,
to see what non-security bugs may need to be patched, but mostly not for
an end-user or sysadmin).

Alexander
Previous By Date Next
Previous By Thread Next

Current thread: