PSA: #shellshock still unfixed except in Debian unstable, testing, *buntu LTS

I just installed, for work, Hanno Böck’s bashcheck utility on our monitoring system, and watched all¹ systems go blue.

① All but two. One is not executing remote scripts from the monitoring for security reasons, the other is my desktop which runs Debian “sid” (unstable).

(Update, 2014-10-20: jessie, precise, trusty are also green now.)

This means that all those distributions still have unfixed #shellshock bugs.

• lenny (with Md’s packages): bash (3.2-4.2) = 3.2.53(1)-release
  • CVE-2014-6277 (lcamtuf bug #1)
• squeeze (LTS): bash (4.1-3+deb6u2) = 4.1.5(1)-release
  • CVE-2014-6277 (lcamtuf bug #1)
• wheezy (stable-security): bash (4.2+dfsg-0.1+deb7u3) = 4.2.37(1)-release
  • CVE-2014-6277 (lcamtuf bug #1)
  • CVE-2014-6278 (lcamtuf bug #2)
• jessie (testing): bash (4.3-10) = 4.3.27(1)-release
  • CVE-2014-6277 (lcamtuf bug #1)
  • CVE-2014-6278 (lcamtuf bug #2)
• sid (unstable): bash (4.3-11) = 4.3.30(1)-release
  • none
• CentOS 5.5: bash-3.2-24.el5 = 3.2.25(1)-release
  • extra-vulnerable (function import active)
  • CVE-2014-6271 (original shellshock)
  • CVE-2014-7169 (taviso bug)
  • CVE-2014-7186 (redir_stack bug)
  • CVE-2014-6277 (lcamtuf bug #1)
• CentOS 5.6: bash-3.2-24.el5 = 3.2.25(1)-release
  • extra-vulnerable (function import active)
  • CVE-2014-6271 (original shellshock)
  • CVE-2014-7169 (taviso bug)
  • CVE-2014-7186 (redir_stack bug)
  • CVE-2014-6277 (lcamtuf bug #1)
• CentOS 5.8: bash-3.2-33.el5_10.4 = 3.2.25(1)-release
  • CVE-2014-6277 (lcamtuf bug #1)
• CentOS 5.9: bash-3.2-33.el5_10.4 = 3.2.25(1)-release
  • CVE-2014-6277 (lcamtuf bug #1)
• CentOS 5.10: bash-3.2-33.el5_10.4 = 3.2.25(1)-release
  • CVE-2014-6277 (lcamtuf bug #1)
• CentOS 6.4: bash-4.1.2-15.el6_5.2.x86_64 = 4.1.2(1)-release
  • CVE-2014-6277 (lcamtuf bug #1)
• CentOS 6.5: bash-4.1.2-15.el6_5.2.x86_64 = 4.1.2(1)-release
  • CVE-2014-6277 (lcamtuf bug #1)
• lucid (10.04): bash (4.1-2ubuntu3.4) = 4.1.5(1)-release
  • CVE-2014-6277 (lcamtuf bug #1)
• precise (12.04): bash (4.2-2ubuntu2.5) = 4.2.25(1)-release
  • CVE-2014-6277 (lcamtuf bug #1)
  • CVE-2014-6278 (lcamtuf bug #2)
• quantal (12.10): bash (4.2-5ubuntu1) = 4.2.37(1)-release
  • extra-vulnerable (function import active)
  • CVE-2014-6271 (original shellshock)
  • CVE-2014-7169 (taviso bug)
  • CVE-2014-7186 (redir_stack bug)
  • CVE-2014-6277 (lcamtuf bug #1)
  • CVE-2014-6278 (lcamtuf bug #2)
• trusty (14.04): bash (4.3-7ubuntu1.4) = 4.3.11(1)-release
  • CVE-2014-6277 (lcamtuf bug #1)
  • CVE-2014-6278 (lcamtuf bug #2)

I don’t know if/when all distributions will have patched their packages ☹ but thought you’d want to know the hysteria isn’t over yet…

… however, I hope you were not stupid enough to follow the advice of this site which suggests you to download some random file over the ’net and execute it with superuser permissions, unchecked. (I think the Ruby people were the first to spread this extremely insecure, stupid and reprehensible technique.)

Updates:

• rsc points out that CentOS only supports 5.«latest» and 6.«latest», and paying RHEL get 5.«x».«y» but only occasionally. We updated one of the two systems in question and shut the other down due to lack of use.
• trusty (14.04): bash (4.3-7ubuntu1.5) = 4.3.11(1)-release
  • none
• Yes, comments on this blog are disabled; mail ｔ．ｇｌａｓｅｒ＠ｔａｒｅｎｔ．ｄｅ for feedback.
• Since I was asked (twice): the namespace patches by Florian Weimer protect from most exploits. The bugs are, nevertheless, present:

  root@debian-wheezy:~ # env 'BASH_FUNC_foo()=() { x() { _; }; x() { _; } <<'"$(perl -e '{print "A"x1000}'); }" bash -c :
  Segmentation fault
  139|root@debian-wheezy:~ # dmesg | tail -1
  [3121102.362274] bash[1699]: segfault at dfdfdfdf ip 00000000f766df36 sp 00000000ffe90b34 error 4 in libc-2.13.so[f75ee000+15d000]
   

• To one eMail sender: If you do not understand why a CGI or something else could invoke a shell, or what a segmentation fault trap is, do not bother me. Especially not in that tone.
• To another eMail sender: Yes, quantal is end of life. It’s also upgraded. First and last time I ever used *buntu’s “do-release-upgrade”. Broke kernel and GRUB, and upgraded to saucy. I manually “apt-get –purge dist-upgrade”d to trusty (went surprisingly well).
• precise (12.04): bash (4.2-2ubuntu2.6) = 4.2.25(1)-release
  • none
• jessie (testing): bash (4.3-11) = 4.3.30(1)-release
  • none
• Update 27.10.2014: Clearly, distributions are not fixing the lcamtuf bug series (Debian stable, CentOS), believing that the affix patch makes them invulnerable, while it just removes the most common/popular/exposed attack vector. Sad story.

Thanks to ↳ tarent for letting me do this work during $dayjob time!