Login

Dookus · 09-25-2014, 05:46 AM

I just ran the commands on LL2

env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
env X="() { :;} ; echo busted" bash -c "echo stuff"

and the second command came back with "busted"

Meaning LL is vulnerable

I imagine the patch for this is reliant on Ubuntu developers?

***Valtam*** · 09-25-2014, 09:20 AM

Both of mine just came back as 'stuff'. I assume you have updated?

Code:
jerry@comp:~$ env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"

stuff

jerry@comp:~$ env X="() { :;} ; echo busted" bash -c "echo stuff"

bash: warning: X: ignoring function definition attempt

bash: error importing function definition for `X'

stuff

jerry@comp:~$

**Scott(0)** · (This post was last modified: 09-25-2014, 12:29 PM by Scott(0).)

My system was already fixed via the normal LL update method:
Menu > All > Install Updates

You can also check the bash package version, type:

Code:
dpkg -s bash | grep Version

The fixed versions are:
4.3-7ubuntu1.1,
4.2-2ubuntu2.2, and
4.1-2ubuntu3.1

My laptop, for example:

Code:
scott@laptop:~$ dpkg -s bash | grep Version

Version: 4.3-7ubuntu1.1

So, I'm fixed!

If your system failed just update with:
Menu > All > Install Updates
And test the package version again.

The link below lists other tests as well.

Source:
http://askubuntu.com/questions/528101/wh...o-i-fix-it

***Valtam*** · (This post was last modified: 09-26-2014, 02:37 PM by Valtam.)

IMPORTANT: If you have run Install Updates from the 25th onwards, then you are no longer vulnerable.

You bash version should now be > 4.3-7ubuntu1.3
To find out if you have the above version or higher, open a terminal and do (in 32 and 64 bit):

Code:
dpkg -s bash | grep Version

Run the 2 commands below from the terminal one at a time, each time it should return the word safe. If it returns the word vulnerable then do Menu, Install Updates and test again.

Code:
env X="() { :;} ; echo vulnerable" /bin/sh -c "echo safe"

env X="() { :;} ; echo vulnerable" bash -c "echo safe"

Alternatively you can do:

Code:
sudo apt-get update && sudo apt-get install bash

to get the latest version of bash.

**Scott(0)** · 09-25-2014, 08:44 PM

Since I was asked a few times, thought I pass it along.

The vulnerability test (in reply #3 by Valtam) is the same for both 32 and 64 bit version of Linux Lite.

***Valtam*** · (This post was last modified: 09-26-2014, 07:40 PM by Valtam.)

Thanks Scott, updated Smile

I have left the greater-than sign in there next to the version number so there is no need to change it in the future.

newtusmaximus · (This post was last modified: 09-26-2014, 12:04 PM by newtusmaximus.)

Thanks for clarification and guidance. All OK here. Smile

However
Are we vulnerable through our broadband routers?

**Scott(0)** · 09-26-2014, 01:39 PM

Valtam,

The bash package was updated again. The current version is:
Version: 4.3-7ubuntu1.3

Maybe this line should be updated in post #3 to prevent any confusion.

Quote:You bash version should now be > 4.3-7ubuntu1.1

***Valtam*** · 09-26-2014, 02:38 PM

Done.

Sent from my mobile phone.

Coastie · 09-26-2014, 07:01 PM

For those like me who did not understand that shellshock is a bash vulnerability (or even what bash is) I am making this post so if they do a search for it they will find this thread.

I posted https://www.linuxliteos.com/forums/index...sg5553#new because I did not know to search for bash.

Login
Username:
Password:	Lost Password?
	Remember me

Linux Lite 7.6 Final Released - Click here for more