|
Shellshock? Maemo?
Is Maemo affected?
Thanks. |
Re: Shellshock? Meemo?
hmm..
are you referring to ....Meemo the global virtual goods distributor? http://www.meemo.me/ or Meemo ...the New york eatery?...been there...good food BTW... http://www.meemonyc.net/ A referring point would help concerning this ...shellshock? |
Re: Shellshock? Meemo?
Quote:
|
Re: Shellshock? Meemo?
Ah...this is about the bash bug!
...been all over the national news network here (cbc) lately... |
Re: Shellshock? Meemo?
Go to xterminal
Type bash Hit enter If it says "not found", you don't have bash & don't have to worry about this one |
Re: Shellshock? Meemo?
I came here for the geek references to how Maemo was misspelled in the title. Go Advanced Edit and edit the thread title before your original question is overlooked.
|
Re: Shellshock? Maemo?
Run this in xterm:
Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"Code:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"Of course, if you don't have bash installed you're safe. |
Re: Shellshock? Maemo?
hmm seems like i'm affected (n900), I have busybox 1.22.1, is that it that makes is vulnerable?
|
Re: Shellshock? Maemo?
Quote:
|
Re: Shellshock? Maemo?
ah, ok . so yes Maemo is affected with Bash version 3.2-0maemo10
|
Re: Shellshock? Maemo?
What would be the best way to patch?
wait for an update from community - get a fix from another linux distribution - apt-get remove bash? I have no idea Thanks |
Re: Shellshock? Maemo?
It's quite funny, considering how some guy (our own, private version of poettering, if anyone would be in doubt who I'm referring to) tried to push bash into everyone's throat in Maemo Community, calling ash "messybox" and (sucessfuly) pretending busybox-power integration into CSSU.
Yes - if anyone haven't noticed, we still doesn't have busybox-power in CSSU - where it belongs - and need to install it via package that does binary file replacement... Mind this day and big middle finger to you, busybox haters. /Estel |
Re: Shellshock? Maemo?
1 Attachment(s)
This is the output I had.
|
Re: Shellshock? Maemo?
Quote:
IMHO bash or dash would be a much saner default. Plus the standard Linux coreutils instead of busybox clones. And as for security: wait until someone starts looking at busybox. Then all those people having non-updatable appliances running web servers with crappy CGI's running as root (i.e. most routers or NASes) will regret it. I can't wait to have a working debian on my N900. F*ck Maemo. (I'm usually more polite, blame it on the Oktoberfest). |
Re: Shellshock? Maemo?
reinob: don't feed the troll, please
|
Re: Shellshock? Maemo?
Probably the only exploit vector you would worry about would be DHCP. The other vectors are unlikely to affect your n900, such as cgi scripts, restricted ssh shells, etc...
Most of you are probably running the vulnerable version of openssl still which is probably a bigger risk than this. |
Re: Shellshock? Maemo?
Quote:
|
Re: Shellshock? Maemo?
Quote:
The question of busybox vs busybox-power vs GNU is still IMHO a very valid point of discussion. Some day Maemo might actually boot/work with bash as /bin/sh. I think I should work on that. But then again, give me debian or slackware and I'll dump Maemo on the spot :) |
Re: Shellshock? Maemo?
Quote:
Especially, that busybox is prime example of core system package that can't be distributed in extras in sane way (the only possibility is via binary file replacement, and you could distribute whole CSSU this way... Except, that it's just plain wrong), yet it's not included in CSSU for bulls**t reasons. Suggestions to use BASH instead were all too common during busybox-power in CSSU discussion, effectively creating TWO possible attack surfaces, instead of one. Of course bash fanatics were absolutely sure that we won't create 2nd attack surface, as bash is awesome, magic, and 100% secure - which was proven wrong, and such assumption was wrong by design (no matter how secure your software is, it's still 2nd surface for attack). Not to mention being quite unrelated and demagogic (as it's hardly argument against updating our default /bin/sh). --- Anyway, there is a side effect to this thread, too - suddenly, I lost big portion of respect for some people, that suddenly are able to only use derivatives of "troll" in place of discussion with arguments (and even gain "thanks" for it) - and I bet that it have more to do with pan-maemo's politic, than topic at hand. Well, there is old saying about spending too much time with someone and gaining his traits - I guess some people sticked to joerg on IRC for too long. Pity, perhaps, but well, not the end of the world and s**t happens... Enough OT. /Estel |
Re: Shellshock? Maemo?
Sorry, but have to disagree. Seems like you're fighting your personal war thanks to shellshock. Imagine the opposite, vuln in busybox, practically all routers in the world exposed (and N900/non-CMdroids). Someone from bash proponents in CSSU comes in and states: "You see Estel, you're a dum...."
Bash was chosen for its features because this is full linux distro, not embedded system. We can afford running full blown (pun unintended) and featured linux distro with the latest and greatest (gplv3 even), try compiling/packaging some stuff on device and poor-featuredness of busybox tar will jump right at you. Yeah, go ahead and relink gtar and then... |
Re: Shellshock? Maemo?
Will there be a bash update for Maemo?
|
Re: Shellshock? Maemo?
Quote:
Now, some people argued that we don't need upstream updates to busybox (including security ones) - that busybox-power provides - in CSSU, cause we can install bash, anyway. Which is assumption broken by design, as we can either use bash AND still have ash as core /bin/sh, or only use ASH for everything. Summing it up, my whole point was that bash isn't "cure for your all shell related needs, cancer, poverty, and all world problems combined", especially on N900. It doesn't substitute busybox updates, and busybox-power SHOULD be part of CSSU. Shame on CSSU maintainers that it isn't as there are no rational/meritocratic reasons for it, only political bash-loving and ash-hating (and letting arrogant buffoons to act as CSSU advisors *waves to joerg*, which fortunately, is thing of the past, already). /Estel |
Re: Shellshock? Maemo?
This argument is all very interesting, but can anyone provide a simple answer to the question of whether a bash update is likely to become available, and/or should I try to make one myself?
|
Re: Shellshock? Maemo?
Quote:
But feel free to do it yourself :) |
Re: Shellshock? Maemo?
Quote:
|
Re: Shellshock? Maemo?
Quote:
I'm not aware of any DHCP attack vector. Anyway, I don't think *anything* in Maemo, including the DHCP client, require bash (because it's not even installed by default), so you should be "OK". But again, feel free to compile the latest bash. I'll see if I can do it quickly myself though. |
Re: Shellshock? Maemo?
1 Attachment(s)
So, here's the latest bash 4.3 with all 29 patches compiled (without NLS) for armel. It doesn't really need anything in terms of dependencies (although it is NOT statically compiled).
Just unpack it and put it in /usr/local/bin or wherever you find it convenient. PS: now that "we" control TMO, can we please remove these absurd restrictions on file extension and/or attachment size? |
Re: Shellshock? Maemo?
Quote:
Can you imagine the huge, heavy photographs and drawings that will quickly appear here, and overwhelm the storage?.. Seriously, we should ask techstaff about this. Where can we find the current bugs and feature requests of Maemo server? Is there https support in the works? Best wishes. Thank you! ~~~~~~~~~~~~~~~~~ Per aspera ad astra... |
Re: Shellshock? Maemo?
Quote:
And well, maybe a bit more than 800Kb would be fine.. Once techstaff sort their stuff out (if it hasn't been done yet) we could have an idea of how much space we need. I'll happily donate for another HDD or two. |
Re: Shellshock? Maemo?
1 Attachment(s)
Quick heads up. There's a new patch for bash (#30, dated October 5th). When I get some time I'll post an updated version.
Add. here it is! Add. It passes all current tests: Code:
$ curl https://shellshocker.net/shellshock_test.sh | bash |
Re: Shellshock? Maemo?
A couple of things. This is really cool. However, please remember to
Code:
chmod +xAt least test by bashing into bash after you install it. I forgot to make this executable and had to boot into rescueos to fix. :eek: Also, last thing is if, and I aren't %100 sure about this, it seems to work best in installed into /bin rather than /usr/bin. Reason being if you use the special three finger shortcut (shift-ctrl-x) for the X-terminal it seems to crash the phone |
Re: Shellshock? Maemo?
upload to extras-devel?
|
Re: Shellshock? Maemo?
Quote:
If your using bash as your user shell (in /etc/passwd) then I *suppose* that it should work, but I haven't tried it. I actually don't need or use bash on the N900. The version I've posted is for those who feel the need to have the latest and/or for those who are actually affected by the shellshock vulnerability (i.e. nobody :). Re. extras-devel. Not me. I once tried to get something there and had to request and account who-knows-where (garage or whatever) and heard nothing ever since. For all I care, the maemo repositories are static and read-only. If I need something that is not there I'll just do it myself and (if I'm nice) post the binary here. I still don't know if it's a problem of time, money or politics, but something tells me we (if there's a we, a community) should have a repository and a forum and a wiki completely independent of anything we've had in the past. I don't know why we need this "garage" or anything owned/damaged by Nokia or or or. But anyway, this is off-topic. |
Re: Shellshock? Maemo?
That's actually an excellent idea. Self-maintained garage. One less job for the Council to do.
|
Re: Shellshock? Maemo?
Quote:
Every contribution is welcome! I don't know which was the problem with garage the last time you tried, but i think that we (techstaff) can help you if something goes wrong at first. garage - builder - extras is a complex env that i would not define "perfect", most of times, when something goes wrong, it's not about politics but it's something that we can cure with a chown or chmod. |
Re: Shellshock? Maemo?
Quote:
Currently I get this: Quote:
I guess my garage account would work if I had one. But garage requires me to specify my full name. I won't give my real name here and I see no point in making one up. So whenever I wan't to edit the wiki I do it as an IP, which in turn requires me to use TOR or some other obfuscation technique because I don't like to have my IP on show for everyone. |
Re: Shellshock? Maemo?
@sulu
afaik you can create a garage account also without specifing exactly you personal details. I can understand that someone may have real reasons to avoid to expose these details. |
Re: Shellshock? Maemo?
Quote:
I used this form: https://garage.maemo.org/extras-assi...tation_request I have sent another request just now concerning rsync, bash and ngp. As time goes (and if this works reasonably well without wasting a lot of time) I might upload other stuff (like a working nano, newer openssh, etc.) |
Re: Shellshock? Maemo?
Quote:
I expressed my concerns this thread but they seem to have fallen on deaf ears. Oh well, now I just take it as if the wiki is a non-existent resource. |
Re: Shellshock? Maemo?
Quote:
No symlink from bash -> sh. Changed to bash in /etc/passwd for user and root. |
| All times are GMT. The time now is 00:33. |
vBulletin® Version 3.8.8