bash env bug on legacy centos 4.8 system
Re: bash env bug on legacy centos 4.8 system
Just to reiterate: CentOS 4.anything is end of life. It has no support. It is an ex-product. If you still have machines running CentOS 4 then you need to be looking urgently at migrating them to a supported release. This is not new: it has been end of life for two and a half years. I am 100% certain that many of the security vulnerabilities that have been found and fixed in the last 2.5 years in CentOS 5 and CentOS 6 also apply to CentOS 4. You are running something that is insecure and you need to start planning, 2.5 years ago, how to get off it!
I'm sorry if this sounds rude. It's not meant that way but you've had 2.5 years to get off an EOL platform and onto something else.
If you really really need to run el4 and have a business case for it then you should probably justify to your management why you should buy a Redhat extended services subscription and get yourself onto the el4 Z stream which is still supported and has produced fixes for this issue.
I'm sorry if this sounds rude. It's not meant that way but you've had 2.5 years to get off an EOL platform and onto something else.
If you really really need to run el4 and have a business case for it then you should probably justify to your management why you should buy a Redhat extended services subscription and get yourself onto the el4 Z stream which is still supported and has produced fixes for this issue.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: bash env bug on legacy centos 4.8 system
Fresh binaries available on my ftp server .
These include bash30-018 which addresses CVE-2014-7169 .
x64 builds coming shortly. Note the updated readme in the FTP directory.
Cheers
These include bash30-018 which addresses CVE-2014-7169 .
x64 builds coming shortly. Note the updated readme in the FTP directory.
Cheers
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
Re: bash env bug on legacy centos 4.8 system
Hi, Trevor... Fancy meeting you here.
If I were doing this for a client, I would likely take a different position, because the client would have to pay for my support to maintain the older (unsupported) distro. For my own stuff, however, the formula is a bit different.
Cheers
I have a single app which does not seem to be happy running on anything newer. I don't need to justify expense to management, because that's my decision (I'm management). I could spend the time to migrate the application to el4 (which was a supported OS for it), but to what end? If I can keep up with critical issues like this, it's hard to justify the cost of a commercial distro for a single app which is seldom used (but works like a charm, and thus is not worth replacing) and the time and effort to migrate the OS on the box to something else, so long as the OS remains installable on modern hardware.TrevorH wrote:Just to reiterate: CentOS 4.anything is end of life. It has no support. It is an ex-product. If you still have machines running CentOS 4 then you need to be looking urgently at migrating them to a supported release.
<snip>
If you really really need to run el4 and have a business case for it then you should probably justify to your management why you should buy a Redhat extended services subscription and get yourself onto the el4 Z stream which is still supported and has produced fixes for this issue.
If I were doing this for a client, I would likely take a different position, because the client would have to pay for my support to maintain the older (unsupported) distro. For my own stuff, however, the formula is a bit different.
Cheers
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
Re: bash env bug on legacy centos 4.8 system
64-bit builds are now available from my FTP server, referenced above.LewisR wrote:Fresh binaries available on my ftp server .
These include bash30-018 which addresses CVE-2014-7169 .
x64 builds coming shortly. Note the updated readme in the FTP directory.
Cheers
Good luck!
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
Re: bash env bug on legacy centos 4.8 system
A third patch has now appeared, and more bug detection
http://seclists.org/oss-sec/2014/q3/693
http://www.openwall.com/lists/oss-secur ... 4/09/25/13
Currently unofficial but since they are with redhat, it will probably get put into distro over the next few days.
It is not yet ported for older bash versions:
http://seclists.org/oss-sec/2014/q3/att ... ffix.patch
Automated check script:
https://raw.githubusercontent.com/hanno ... /bashcheck
http://seclists.org/oss-sec/2014/q3/693
http://www.openwall.com/lists/oss-secur ... 4/09/25/13
Currently unofficial but since they are with redhat, it will probably get put into distro over the next few days.
It is not yet ported for older bash versions:
http://seclists.org/oss-sec/2014/q3/att ... ffix.patch
Automated check script:
https://raw.githubusercontent.com/hanno ... /bashcheck
Re: bash env bug on legacy centos 4.8 system
Egad, what a mess..._ck_ wrote:A third patch has now appeared, and more bug detection
<snip>
Automated check script:
https://raw.githubusercontent.com/hanno ... /bashcheck
Okay, I've built 32 and 64-bit rpms, but the automated check has me a little puzzled:
Code: Select all
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18: 19987 Segmentation fault bash -c "true $(printf '<<EOF %.0s' {1..79})" 2>/dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
This post seems to suggest that
Code: Select all
# bash -c ':<<a<<b<<c<<d<<e<<f<<g<<h<<i<<j<<k<<l<<m<<n'
Code: Select all
# env 'f=() { :<<a<<b<<c<<d<<e<<f<<g<<h<<i<<j<<k<<l<<m<<n
a
b
c
d
e
f
g
h
i
j
k
l
m
n
}' bash -c 'echo hi'
The next test in the above post is:
Code: Select all
# bash -c "export f=1 g='() {'; f() { echo 2;}; export -f f; bash -c 'echo \$f \$g; f; env | grep ^f='"
Code: Select all
1 () {
2
f=1
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
Re: bash env bug on legacy centos 4.8 system
Hmmm...
Okay. I figured out why I can't build with -fsanitize=address (this was apparently added in gcc 4.8, and I am building with gcc 3.4.6). So, should this be a real problem? I'm more concerned about the segfault when testing for CVE-2014-7186.
Okay. I figured out why I can't build with -fsanitize=address (this was apparently added in gcc 4.8, and I am building with gcc 3.4.6). So, should this be a real problem? I'm more concerned about the segfault when testing for CVE-2014-7186.
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
Re: bash env bug on legacy centos 4.8 system
I suspect we could build the bash3.0 binary on a newer version of centos with gcc 4.8 and copy it overLewisR wrote:this was apparently added in gcc 4.8, and I am building with gcc 3.4.6).
I use the devtoolset copy of gcc4.8 on centos6.5 http://linux.web.cern.ch/linux/devtoolset/
but centos7 has newer gcc right in base repo
Re: bash env bug on legacy centos 4.8 system
Okay patch 19 has now appeared for 3.0
Here we go again
http://ftp.gnu.org/pub/gnu/bash/bash-3. ... bash30-019
(it appears to be the official version of the unofficial patch)
after #19 on centos 4.9
So I guess I expect #20 sometime this week.
What is strange is the redir_stack bug is okay on CentOS 6.5 even before the next yum update
OH I see now, the segfault causes the redir test to be marked as failed.
I also do not see a .3 package sitting on the 6.5 mirrors (yet)
http://mirror.centos.org/centos/6/updat ... /Packages/
Here we go again
http://ftp.gnu.org/pub/gnu/bash/bash-3. ... bash30-019
(it appears to be the official version of the unofficial patch)
after #19 on centos 4.9
Code: Select all
./bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18: 14262 Segmentation fault (core dumped) bash -c "true $(printf '<<EOF %.0s' {1..79})" 2>/dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
What is strange is the redir_stack bug is okay on CentOS 6.5 even before the next yum update
Code: Select all
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
I also do not see a .3 package sitting on the 6.5 mirrors (yet)
http://mirror.centos.org/centos/6/updat ... /Packages/
Re: bash env bug on legacy centos 4.8 system
Out of morbid curiosity, how much is a EL4 ELS subscription anyway?TrevorH wrote:If you really really need to run el4 and have a business case for it then you should probably justify to your management why you should buy a Redhat extended services subscription and get yourself onto the el4 Z stream which is still supported and has produced fixes for this issue.
Also, very curious if yum can switch out the centos4 and el4 binaries without hassle since they are supposed to virtually identical?