Sep
25

BASH shell bug

As many of you are probably aware, there is a serious security issue that is currently all over the web regarding the GNU BASH shell.  We at the PC-BSD project are well aware of the issue, a fix is already in place to plug this security hole, and packages with this fix are currently building. Look for an update to your BASH shell within the next 24 hours in the form of a package update.

As a side note: nothing written by the PC-BSD project uses BASH in any way – and BASH is not built-in to the  FreeBSD operating system itself (it is an optional port/package), so the level of severity of this bug is lower on FreeBSD than on other operating systems.

According to the FreeBSD mailing list: Bryan Drewery has already sent a notice that the port is fixed in FreeBSD. However, since he also added some good recommendations in the email for BASH users, we decided to copy that email here for anyone else that is interested.
_______________

From: Bryan Drewery – FreeBSD mailing list

The port is fixed with all known public exploits. The package is
building currently.

However bash still allows the crazy exporting of functions and may still
have other parser bugs. I would recommend for the immediate future not
using bash for forced ssh commands as well as these guidelines:

1. Do not ever link /bin/sh to bash. This is why it is such a big
problem on Linux, as system(3) will run bash by default from CGI.
2. Web/CGI users should have shell of /sbin/nologin.
3. Don’t write CGI in shell script / Stop using CGI 🙂
4. httpd/CGId should never run as root, nor “apache”. Sandbox each
application into its own user.
5. Custom restrictive shells, like scponly, should not be written in bash.
6. SSH authorized_keys/sshd_config forced commands should also not be
written in bash.
_______________

For more information the bug itself you can visit arstechnica and read the article by clicking the link below.

http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

Share This Post:
  • Digg
  • Facebook
  • Twitter
  • email
  • LinkedIn
  • Slashdot

Written by Josh Smith. Posted in 10.0, 9.0, 9.1, 9.2, security update, testers

Trackback from your site.

Comments (6)

  • sg1efc
    September 25, 2014 at 2:07 pm |

    Great info, Thanks very much Josh, Bryan and everyone else. 🙂

  • September 26, 2014 at 2:52 pm |

    I’ve also disabled this feature by default now. https://svnweb.freebsd.org/ports?view=revision&revision=369341

  • Helix
    September 27, 2014 at 9:24 pm |

    The link on Arstehnica does not open 🙁

    • Josh Smith
      September 28, 2014 at 11:00 pm |

      Sorry about that Helix. Try again now :).

  • Beach Geek
    October 7, 2014 at 2:20 pm |

    It’s now October 8th. Update Manager says “Your system is fully updated”, but it still fail bash test:

    env x='() { :;}; echo vulnerable’ bash -c ‘echo hello’

    output:
    vulnerable
    hello

    Did we miss the bash update? something fail?
    BG

    bash –version
    GNU bash, version 4.3.18(2)-release (amd64-portbld-freebsd10.0)

    • October 8, 2014 at 12:36 pm |

      Hey Beach Geek. If you are concerned about the bash vulnerability and / or use bash as your default shell you should switch over to the edge package set. It has any PC-BSD updates as they happen. Production packages in general are not published as frequently, but should also receive the update soon.

Leave a comment

*

Please leave these two fields as-is:

Help the Project, Donate Today!