Login

Dookus · 09-25-2014, 05:46 AM

I just ran the commands on LL2

env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
env X="() { :;} ; echo busted" bash -c "echo stuff"

and the second command came back with "busted"

Meaning LL is vulnerable

I imagine the patch for this is reliant on Ubuntu developers?

***valtam*** · 09-25-2014, 09:20 AM

Both of mine just came back as 'stuff'. I assume you have updated?

Code:
jerry@comp:~$ env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"

stuff

jerry@comp:~$ env X="() { :;} ; echo busted" bash -c "echo stuff"

bash: warning: X: ignoring function definition attempt

bash: error importing function definition for `X'

stuff

jerry@comp:~$

**Scott(0)** · 09-25-2014, 12:24 PM

My system was already fixed via the normal LL update method:
Menu > All > Install Updates

You can also check the bash package version, type:

Code:
dpkg -s bash | grep Version

The fixed versions are:
4.3-7ubuntu1.1,
4.2-2ubuntu2.2, and
4.1-2ubuntu3.1

My laptop, for example:

Code:
scott@laptop:~$ dpkg -s bash | grep Version

Version: 4.3-7ubuntu1.1

So, I'm fixed!

If your system failed just update with:
Menu > All > Install Updates
And test the package version again.

The link below lists other tests as well.

Source:
http://askubuntu.com/questions/528101/wh...o-i-fix-it

***valtam*** · 09-25-2014, 07:20 PM

IMPORTANT: If you have run Install Updates from the 25th onwards, then you are no longer vulnerable.

You bash version should now be > 4.3-7ubuntu1.3
To find out if you have the above version or higher, open a terminal and do (in 32 and 64 bit):

Code:
dpkg -s bash | grep Version

Run the 2 commands below from the terminal one at a time, each time it should return the word safe. If it returns the word vulnerable then do Menu, Install Updates and test again.

Code:
env X="() { :;} ; echo vulnerable" /bin/sh -c "echo safe"

env X="() { :;} ; echo vulnerable" bash -c "echo safe"

Alternatively you can do:

Code:
sudo apt-get update && sudo apt-get install bash

to get the latest version of bash.

**Scott(0)** · 09-25-2014, 08:44 PM

Since I was asked a few times, thought I pass it along.

The vulnerability test (in reply #3 by Valtam) is the same for both 32 and 64 bit version of Linux Lite.

***valtam*** · 09-25-2014, 08:46 PM

Thanks Scott, updated Smile

I have left the greater-than sign in there next to the version number so there is no need to change it in the future.

newtusmaximus · 09-26-2014, 12:01 PM

Thanks for clarification and guidance. All OK here. Smile

However
Are we vulnerable through our broadband routers?

**Scott(0)** · 09-26-2014, 01:39 PM

Valtam,

The bash package was updated again. The current version is:
Version: 4.3-7ubuntu1.3

Maybe this line should be updated in post #3 to prevent any confusion.

Quote:You bash version should now be > 4.3-7ubuntu1.1

***valtam*** · 09-26-2014, 02:38 PM

Done.

Sent from my mobile phone.

Coastie · 09-26-2014, 07:01 PM

For those like me who did not understand that shellshock is a bash vulnerability (or even what bash is) I am making this post so if they do a search for it they will find this thread.

I posted https://mityer.khdlhfjijfrupr.tk/forums/index...sg5553#new because I did not know to search for bash.

Linux Lite 8.0 RC1 has been released - Click here

Hello There, Guest! Welcome to Linux Lite Forums!

Feel free to Register and discuss on various topics with likeminded people. Already have an account? Please Login!

Bash Vulnerability and Linux Lite

Login


Remember me
Lost Password?