Page 4 of 5 « First 23 4 5
Reply
Thread Tools
nieldk
2014-09-26 , 09:34
Guest | Posts: n/a | Thanked: 0 times | Joined on
#31
Originally Posted by javispedro View Post
Jolla doesn't use dhclient; it uses connman's builtin gdhcp client.
Will test later when I am at home on my linux box

EDIT: Again, during "security crazes" please remember to keep your brain turned on. There's a shitton of people (e.g. stackoverflow) who is right now posting "instructions to solve the bash bug" which include absurd things such as replacing your distro's bash with some random online version. Without proper care, that's even more stupid than plainly doing nothing.
Absolutely true!

This doesn't necessarily apply to nieldk's packages, which I think one can trust (hehe ;P), but please remember to be generally cautious about this.
:P only if You can trust 1) gnu sources 2) mer buildengine
 
Bundyo's Avatar
Bundyo is offline Bundyo
2014-09-26 , 16:31
Posts: 4,708 | Thanked: 4,649 times | Joined on Oct 2007 @ Bulgaria
#32
Originally Posted by LadyBug View Post
If someone is curious how shellshock could be used to attack a Sailfish device, this illustrates one attack vector: https://pbs.twimg.com/media/ByZZUzmIIAAuFaR.jpg:large

That is, a malicious DHCP server could attack by sending code in the options field. I haven't verified this with my Jolla, but in theory this could be bad. Think of public WIFI access points...
Here is the whole page:
https://www.trustedsec.com/september...proof-concept/
__________________
Technically, there are three determinate states the cat could be in: Alive, Dead, and Bloody Furious.
 

The Following User Says Thank You to Bundyo For This Useful Post:
HtheB's Avatar
HtheB is offline HtheB
2014-09-26 , 17:25
Moderator | Posts: 3,715 | Thanked: 7,419 times | Joined on Dec 2009 @ Bize Her Yer Trabzon
#33
why do I keep thinking of Turtles in Time (for the SNES) when I read 'Shellshock'?
(when you died, it said 'shellshock'. good old times)
__________________
www.HtheB.com
Please donate if you think I'm doing a good job.
 

The Following 4 Users Say Thank You to HtheB For This Useful Post:
LouisDK is offline LouisDK
2014-09-26 , 20:05
Posts: 252 | Thanked: 597 times | Joined on Oct 2011 @ Denmark
#34
Originally Posted by Bundyo View Post
https://together.jolla.com/question/...#post-id-56855

This is the official answer, the thread was closed
Closing a bug report before the bug is fixed is not a good idea if you ask me.
Last edited by LouisDK; 2014-09-27 at 16:04.
 
gerbick
2014-09-26 , 20:49
Guest | Posts: n/a | Thanked: 0 times | Joined on
#35
Originally Posted by HtheB View Post
why do I keep thinking of Turtles in Time (for the SNES) when I read 'Shellshock'?
(when you died, it said 'shellshock'. good old times)
That game was good and hard; the good kind of frustrating hard. Damn you... now I want to play it again...
 

The Following User Says Thank You to For This Useful Post:
javispedro's Avatar
javispedro is offline javispedro
2014-09-27 , 00:04
Posts: 2,355 | Thanked: 5,249 times | Joined on Jan 2009 @ Barcelona
#36
Originally Posted by nieldk View Post
Will test later when I am at home on my linux box :
Try to write to a file in /tmp since you're not going to easily know where stdout from connman is redirected.
 

The Following User Says Thank You to javispedro For This Useful Post:
rainisto is offline rainisto
2014-09-27 , 08:09
Posts: 1,067 | Thanked: 2,383 times | Joined on Jan 2012 @ Finland
#37
gdhcp is not setting any env variables, so it should not be vulnerable. But if you manage to find an exploit then feel free to send steps to reproduce email to security@jolla.com
__________________
IRC: jonni@freenode
Sailfish: ¤ Qt5 SailfishTouchExample ¤ Qt5 MultiPointTouchArea Example ¤ ipaddress ¤ stoken ¤ Sailbox (Dropbox client) ¤
Harmattan: ¤ Presence VNC for Harmattan ¤ Live-F1 ¤ BTinput-terminal ¤ BabyLock ¤ BabyLock Trial ¤ QML TextTV ¤
Disclaimer: all my posts in this forum are personal trolling and I never post in any official capacity on behalf of any company.
 

The Following 2 Users Say Thank You to rainisto For This Useful Post:
nieldk
2014-09-27 , 11:42
Guest | Posts: n/a | Thanked: 0 times | Joined on
#38
Originally Posted by rainisto View Post
gdhcp is not setting any env variables, so it should not be vulnerable. But if you manage to find an exploit then feel free to send steps to reproduce email to security@jolla.com
seems true, I couldnt use dhcp to trick connman exploit, neither with included bash, or my build
 

The Following 2 Users Say Thank You to For This Useful Post:
nieldk
2014-09-27 , 11:52
Guest | Posts: n/a | Thanked: 0 times | Joined on
#39
internet of things - worth a reading

http://paste.lisp.org/display/143864
 

The Following 4 Users Say Thank You to For This Useful Post:
juiceme is offline juiceme
2014-09-27 , 14:00
Community Council | Posts: 4,920 | Thanked: 12,867 times | Joined on May 2012 @ Southerrn Finland
#40
Originally Posted by nieldk View Post
internet of things - worth a reading

http://paste.lisp.org/display/143864
All so true. Yet, this is something that happens all over again, whether the used components are FFOS or developed in-house. Sometimes a first-implemented solution works so well that proper break-in testing is not done... usually because of not enough time[*].

[*] There's never enough time to do things properly, but always time to fix them later
 
Reply
Page 4 of 5 « First 23 4 5

Tags
bash bug

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 09:20.

Contact Us - Home - Archive - Top