maemo.org - Talk
Page 4 of 5 « First 23 4 5
Show 40 post(s) from this thread on one page

maemo.org - Talk (https://talk.maemo.org/index.php)
-   SailfishOS (https://talk.maemo.org/forumdisplay.php?f=52)
-   -   Sailfish OS bash shell is affected by the #shellshock bug (https://talk.maemo.org/showthread.php?t=93922)

nieldk 2014-09-26 09:34
Re: Sailfish OS bash shell is affected by the #shellshock bug
 
Quote:
Originally Posted by javispedro (Post 1440635)
Jolla doesn't use dhclient; it uses connman's builtin gdhcp client.
Will test later when I am at home on my linux box :)

Quote:
EDIT: Again, during "security crazes" please remember to keep your brain turned on. There's a shitton of people (e.g. stackoverflow) who is right now posting "instructions to solve the bash bug" which include absurd things such as replacing your distro's bash with some random online version. Without proper care, that's even more stupid than plainly doing nothing.
Absolutely true!

Quote:
This doesn't necessarily apply to nieldk's packages, which I think one can trust (hehe ;P), but please remember to be generally cautious about this.
:P only if You can trust 1) gnu sources 2) mer buildengine

Bundyo 2014-09-26 16:31
Re: Sailfish OS bash shell is affected by the #shellshock bug
 
Quote:
Originally Posted by LadyBug (Post 1440616)
If someone is curious how shellshock could be used to attack a Sailfish device, this illustrates one attack vector: https://pbs.twimg.com/media/ByZZUzmIIAAuFaR.jpg:large

That is, a malicious DHCP server could attack by sending code in the options field. I haven't verified this with my Jolla, but in theory this could be bad. Think of public WIFI access points...
Here is the whole page:
https://www.trustedsec.com/september...proof-concept/

HtheB 2014-09-26 17:25
Re: Sailfish OS bash shell is affected by the #shellshock bug
 
why do I keep thinking of Turtles in Time (for the SNES) when I read 'Shellshock'?
(when you died, it said 'shellshock'. good old times)

LouisDK 2014-09-26 20:05
Re: Sailfish OS bash shell is affected by the #shellshock bug
 
Quote:
Originally Posted by Bundyo (Post 1440564)
https://together.jolla.com/question/...#post-id-56855

This is the official answer, the thread was closed :)
Closing a bug report before the bug is fixed is not a good idea if you ask me.

gerbick 2014-09-26 20:49
Re: Sailfish OS bash shell is affected by the #shellshock bug
 
Quote:
Originally Posted by HtheB (Post 1440701)
why do I keep thinking of Turtles in Time (for the SNES) when I read 'Shellshock'?
(when you died, it said 'shellshock'. good old times)
That game was good and hard; the good kind of frustrating hard. Damn you... now I want to play it again...

javispedro 2014-09-27 00:04
Re: Sailfish OS bash shell is affected by the #shellshock bug
 
Quote:
Originally Posted by nieldk (Post 1440636)
Will test later when I am at home on my linux box :
Try to write to a file in /tmp since you're not going to easily know where stdout from connman is redirected.

rainisto 2014-09-27 08:09
Re: Sailfish OS bash shell is affected by the #shellshock bug
 
gdhcp is not setting any env variables, so it should not be vulnerable. But if you manage to find an exploit then feel free to send steps to reproduce email to security@jolla.com

nieldk 2014-09-27 11:42
Re: Sailfish OS bash shell is affected by the #shellshock bug
 
Quote:
Originally Posted by rainisto (Post 1440771)
gdhcp is not setting any env variables, so it should not be vulnerable. But if you manage to find an exploit then feel free to send steps to reproduce email to security@jolla.com
seems true, I couldnt use dhcp to trick connman exploit, neither with included bash, or my build

nieldk 2014-09-27 11:52
Re: Sailfish OS bash shell is affected by the #shellshock bug
 
internet of things - worth a reading

http://paste.lisp.org/display/143864

juiceme 2014-09-27 14:00
Re: Sailfish OS bash shell is affected by the #shellshock bug
 
Quote:
Originally Posted by nieldk (Post 1440789)
internet of things - worth a reading

http://paste.lisp.org/display/143864
All so true. Yet, this is something that happens all over again, whether the used components are FFOS or developed in-house. Sometimes a first-implemented solution works so well that proper break-in testing is not done... usually because of not enough time[*].

[*] There's never enough time to do things properly, but always time to fix them later


All times are GMT. The time now is 09:49.
Page 4 of 5 « First 23 4 5
Show 40 post(s) from this thread on one page

vBulletin® Version 3.8.8