Sailfish OS bash shell is affected by the #shellshock bug

Member's Online

Page 2 of 5 | Prev | 1 2 3 4 | Next | Last

Bundyo | # 11 | 2014-09-25, 10:34 | Report

Originally Posted by javispedro View Post

So how exactly do you plan to exploit this vulnerability on Jolla?

What I would like to see is an upgrade to GPLv3 Bash4, instead of wasting more time on their bash3 fork.

Probably like this, check the Internet Scans section:
http://www.volexity.com/blog/?p=19

javispedro | # 12 | 2014-09-25, 10:39 | Report

Originally Posted by Bundyo View Post

Probably like this, check the Internet Scans section:
http://www.volexity.com/blog/?p=19

But do you run a webserver on your Jolla? That can run CGI scripts?

Bundyo | # 13 | 2014-09-25, 10:41 | Report

Not yet

nieldk | # 14 | 2014-09-25, 10:48 | Report

Originally Posted by javispedro View Post

But do you run a webserver on your Jolla? That can run CGI scripts?

Ehh, yes

The Following User Says Thank You to For This Useful Post:
Bundyo

coderus | # 15 | 2014-09-25, 11:01 | Report

@javispedro #paranoiaeverywhere, lol

vincr | # 16 | 2014-09-25, 13:04 | Report

Wrong subforum, but what about Maemo and Meego? These OS'es are infected too with this bug isn't it?

The Following User Says Thank You to vincr For This Useful Post:
pichlo

nieldk | # 17 | 2014-09-25, 13:38 | Report

Originally Posted by coderus View Post

anyway, waiting for bash update in nieldk repo

Wont have to wait long

Edit: https://openrepos.net/content/nieldk/bash

patchlevel 25, which fixes #shellschock

source (and binaries)
https://build.merproject.org/package...elnielsen/bash

Attached Images

Last edited by nieldk; 2014-09-25 at 15:38. Reason: Added screenshot

The Following 10 Users Say Thank You to For This Useful Post:
b.cloanta, Bundyo, coderus, HtheB, Jordi, OVK, rcolistete, strongm, vincr, Wikiwide

MartinK | # 18 | 2014-09-25, 14:49 | Report

Originally Posted by javispedro View Post

The JollaStore RPM packages are somewhat safer, but only because they are manually/statically analyzed.

Yeah, but as people are expected to publish compiled binaries, any QAed application can still every April 1 grab all your pictures and post them to Imgur.

And the store QA has no realistic chance to find about this beforehand.

Still better than running as root, but there is still a lot of sensitive content accessible to unpriviledged accounts & full network access for all apps.

The Following User Says Thank You to MartinK For This Useful Post:
Custodian

Drekkie | # 19 | 2014-09-25, 16:17 | Report

Originally Posted by vincr View Post

Wrong subforum, but what about Maemo and Meego? These OS'es are infected too with this bug isn't it?

When I ran the test command on my N9 it showed it was affected. I don't run a web server on it but I would be interested if there is any way to patch the N9 and N900 (haven't tested) once the mainstream patches get sorted.

pichlo | # 20 | 2014-09-25, 17:43 | Report

Just tested on my N900 (Bash4).

Code:

~ $ env x='() { :;}; echo vulnerable'  
bash -c "echo this is a test"
vulnerable
this is a test
~ $

Originally Posted by MartinK View Post

Still better than running as root

(Source: http://xkcd.com/1200/)

Last edited by pichlo; 2014-09-25 at 20:23. Reason: Added xkcd link

The Following 2 Users Say Thank You to pichlo For This Useful Post:
juiceme, Watchmaker

Page 2 of 5 | Prev | 1 2 3 4 | Next | Last