What would be the best way to patch?

wait for an update from community -
get a fix from another linux distribution -
apt-get remove bash?

I have no idea

Thanks

It's quite funny, considering how some guy (our own, private version of poettering, if anyone would be in doubt who I'm referring to) tried to push bash into everyone's throat in Maemo Community, calling ash "messybox" and (sucessfuly) pretending busybox-power integration into CSSU.

Yes - if anyone haven't noticed, we still doesn't have busybox-power in CSSU - where it belongs - and need to install it via package that does binary file replacement... Mind this day and big middle finger to you, busybox haters.

/Estel

This is the output I had.

Don't know what your point is. Really. busybox is a MESSYBOX whose only advantage is only visible on severly limited systems -- not the N900.

IMHO bash or dash would be a much saner default. Plus the standard Linux coreutils instead of busybox clones.

And as for security: wait until someone starts looking at busybox. Then all those people having non-updatable appliances running web servers with crappy CGI's running as root (i.e. most routers or NASes) will regret it.

I can't wait to have a working debian on my N900. F*ck Maemo.
(I'm usually more polite, blame it on the Oktoberfest).

reinob: don't feed the troll, please

Probably the only exploit vector you would worry about would be DHCP. The other vectors are unlikely to affect your n900, such as cgi scripts, restricted ssh shells, etc...

Most of you are probably running the vulnerable version of openssl still which is probably a bigger risk than this.

That's a weird comparison. People that are bashing (sic) Poettering for not following the so called Unix philosophy, now finally got their own pure Unix philosophy vulnerability in bash ah, well sorry for off-topic...

Sorry. Didn't/don't consider either the message or the messenger as a troll.

The question of busybox vs busybox-power vs GNU is still IMHO a very valid point of discussion. Some day Maemo might actually boot/work with bash as /bin/sh. I think I should work on that. But then again, give me debian or slackware and I'll dump Maemo on the spot

My point is that in Maemo, we're still stuck with busybox as /bin/sh, so suggesting (or considering as only one viable possibility) to half-bake a replace by installing bash, instead of putting updated (including security updates) busybox to CSSU, is a big bulls**t.

Especially, that busybox is prime example of core system package that can't be distributed in extras in sane way (the only possibility is via binary file replacement, and you could distribute whole CSSU this way... Except, that it's just plain wrong), yet it's not included in CSSU for bulls**t reasons.

Suggestions to use BASH instead were all too common during busybox-power in CSSU discussion, effectively creating TWO possible attack surfaces, instead of one. Of course bash fanatics were absolutely sure that we won't create 2nd attack surface, as bash is awesome, magic, and 100% secure - which was proven wrong, and such assumption was wrong by design (no matter how secure your software is, it's still 2nd surface for attack). Not to mention being quite unrelated and demagogic (as it's hardly argument against updating our default /bin/sh).
---

Anyway, there is a side effect to this thread, too - suddenly, I lost big portion of respect for some people, that suddenly are able to only use derivatives of "troll" in place of discussion with arguments (and even gain "thanks" for it) - and I bet that it have more to do with pan-maemo's politic, than topic at hand. Well, there is old saying about spending too much time with someone and gaining his traits - I guess some people sticked to joerg on IRC for too long. Pity, perhaps, but well, not the end of the world and s**t happens... Enough OT.

/Estel

Sorry, but have to disagree. Seems like you're fighting your personal war thanks to shellshock. Imagine the opposite, vuln in busybox, practically all routers in the world exposed (and N900/non-CMdroids). Someone from bash proponents in CSSU comes in and states: "You see Estel, you're a dum...."
Bash was chosen for its features because this is full linux distro, not embedded system. We can afford running full blown (pun unintended) and featured linux distro with the latest and greatest (gplv3 even), try compiling/packaging some stuff on device and poor-featuredness of busybox tar will jump right at you. Yeah, go ahead and relink gtar and then...