bash env bug on legacy centos 4.8 system
Re: bash env bug on legacy centos 4.8 system
I have no idea how much an el4 EUS is but I bet it's not cheap. OTOH, the amount of effort being expended on one bug here is quite considerable and there appears to be not much thought given as to how many of the other 19 pages of bugs released for el5 since Feb 2012 here are also applicable to el4 and are missing.
You're quite welcome to continue to discuss this here. I'm just pointing out that you are almost quite literally flogging a dead horse! I'm pretty sure that you'd all be better expending the same amount of effort in migrating to a supported release.
You're quite welcome to continue to discuss this here. I'm just pointing out that you are almost quite literally flogging a dead horse! I'm pretty sure that you'd all be better expending the same amount of effort in migrating to a supported release.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: bash env bug on legacy centos 4.8 system
Oh I completely get running centos4 is a very bad idea. But in some cases there is no other option without throwing a lot of time/money at it.
In theory the one remaining 4.9 server I am maintaining will be retired next year.
For now I keep very good backups, and any new server I am setting up gets centos7 because I never want to run into this update wall again in my lifetime.
Looking at those "19 pages", if you trim it to security and only important/critical severity, then eliminate the bulk of PHP and HTTPD (apache) and Firefox (which are either updated independently or not running) it is not an overwhelming list.
Some do look a bit concerning, though many look like escalation of existing access.
However this bash issue is an instantaneous script-kiddie exploit without any other presence on the server,
and it is too easy to fix thanks to the published patches - so why ignore it?
In theory the one remaining 4.9 server I am maintaining will be retired next year.
For now I keep very good backups, and any new server I am setting up gets centos7 because I never want to run into this update wall again in my lifetime.
Looking at those "19 pages", if you trim it to security and only important/critical severity, then eliminate the bulk of PHP and HTTPD (apache) and Firefox (which are either updated independently or not running) it is not an overwhelming list.
Some do look a bit concerning, though many look like escalation of existing access.
However this bash issue is an instantaneous script-kiddie exploit without any other presence on the server,
and it is too easy to fix thanks to the published patches - so why ignore it?
Re: bash env bug on legacy centos 4.8 system
Wow patch 20, where did that come from.
http://ftp.gnu.org/pub/gnu/bash/bash-3. ... bash30-020
Neverending. And I don't see other updates for CentOS5/6/7 - strange.
http://ftp.gnu.org/pub/gnu/bash/bash-3. ... bash30-020
Neverending. And I don't see other updates for CentOS5/6/7 - strange.
Re: bash env bug on legacy centos 4.8 system
Florian Weimer who's listed as the author on that patch is a Redhat employee and that patch was included in the second round of bash patches for el5/6 and 7.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: bash env bug on legacy centos 4.8 system
So bashcheck has been updated
https://github.com/hannob/bashcheck/blo ... /bashcheck
and while patch #20 solves the segfault, I do not understand why I this still fails:
Vulnerable to CVE-2014-6277 (lcamtuf bug #1) [no patch]
I wonder if one of the patches is not finding what it needs, strange.
Oh it is still segfaulting, it is just masked
Segfault is far from ideal but at least it is not executing the code in the end.
Ah, just saw a notice there are two more patches pending. Maybe then.
https://github.com/hannob/bashcheck/blo ... /bashcheck
and while patch #20 solves the segfault, I do not understand why I this still fails:
Vulnerable to CVE-2014-6277 (lcamtuf bug #1) [no patch]
I wonder if one of the patches is not finding what it needs, strange.
Oh it is still segfaulting, it is just masked
Code: Select all
bash -c "f(){ x(){ _;};x(){ _;}<<a;}"
Segmentation fault (core dumped)
Ah, just saw a notice there are two more patches pending. Maybe then.
Re: bash env bug on legacy centos 4.8 system
Wow... Thanks for keeping up with these patch notifications._ck_ wrote:Wow patch 20, where did that come from.
http://ftp.gnu.org/pub/gnu/bash/bash-3. ... bash30-020
Neverending. And I don't see other updates for CentOS5/6/7 - strange.
Okay, building & testing, now. I'll have fresh binaries for everyone shortly.
Also, FYI, I have been fighting for the past two evenings to get a working CentOS 7 x64 VM in VirtualBox with the cross-compiler stuff necessary to take a stab at building these using gcc 4.8 (with -fsanitize=address capability) and hopefully be able to generate both 32 & 64-bit binaries.
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
Re: bash env bug on legacy centos 4.8 system
Fresh binaries available on my ftp server .
These are still built with the older gcc, so the test for CVE-2014-7187 is still inconclusive.
Cheers
These are still built with the older gcc, so the test for CVE-2014-7187 is still inconclusive.
Cheers
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
Re: bash env bug on legacy centos 4.8 system
Thanks Lewis, this helped loads!LewisR wrote:Fresh binaries available on my ftp server .
These are still built with the older gcc, so the test for CVE-2014-7187 is still inconclusive.
Cheers
Re: bash env bug on legacy centos 4.8 system
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
Re: bash env bug on legacy centos 4.8 system
Fresh binaries available on my ftp server .
These are still built with the older gcc, so the test for CVE-2014-7187 is still inconclusive. However, CVE-2014-6277 now shows as not vulnerable (when testing from bashcheck, at least).
I'm still trying to get a useful build system for these set up under CentOS 7 (which was a bear to install under VBox 4.3, if I do say so myself). I'm almost halfway there (I think), so we'll see how it goes.
Good luck, everyone.
These are still built with the older gcc, so the test for CVE-2014-7187 is still inconclusive. However, CVE-2014-6277 now shows as not vulnerable (when testing from bashcheck, at least).
I'm still trying to get a useful build system for these set up under CentOS 7 (which was a bear to install under VBox 4.3, if I do say so myself). I'm almost halfway there (I think), so we'll see how it goes.
Good luck, everyone.
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------