From BubbaWiki
Revision as of 21:45, 30 September 2014 by BIO (talk | contribs) (Fixed vulnerability check and added bash output for second bug)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This site lists steps to secure the B3 against vulnerabilities that were discovered after the last official web update ( was released by Excito.



Shellshock (CVE-2014-6271) is the name of a bash bug recently discovered by Stéphane Chazelas that has been existing since roughly 1992. The following code allows testing for this vulnerability:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will print

this is a test

whereas on a patched system the string vulnerable will not be printed.

While working on the bug, another severe flaw was discovered (CVE-2014-7169). Check for this vulnerability with the following line of code:

env X='() { (a)=>\' bash -c "echo date"; cat echo

CAUTION: On a vulnerable system, bash will report something like

bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
<current date>

printing and saving the system date (<current date>) at execution time to a file called echo. A fixed system will report

cat: echo: No such file or directory

while not creating a file named echo.


MouettE compiled the latest bash from source using the Debian squeeze LTS repository.

The complete file list of the build is as follows:

Install the fixed bash version by running the following commands as root user:

dpkg -i bash_4.1-3+deb6u2_armel.deb

The first command downloads the file marked bold from above, while the second installs the downloaded package.