... darkrealms ...

Forums before death by AOL, social media and spammers... "We can't have nice things"

alt.os.linux.mandriva

Somewhat decent but also getting bloated

29,919 messages

[ << oldest | < older | list | newer > | newest >> ]

Message 29,619 of 29,919

William Unruh to dimke.fax@uni.de

Re: Shellshock patch not working

28 Sep 14 19:22:20

   From: unruh@invalid.ca   
      
   On 2014-09-28, Markus R. Ke?ler  wrote:   
   > Hi everybody,   
   >   
   > sure, you've already heard from one of the most severe bugs in linux   
   > bash these days.   
   >   
   > On my redhat machines it was no big challenge to fix the bug, because   
   > redhat created a patched version and put it into their repositories.   
   >   
   > Unfortunately, this is not possible with mandriva, of course.   
      
   Well, it is. Madriva had patches out. But 2009.1 is 5 years old. Redhat   
   also doe not support 5 year old OSs.   
   You could always download bash source from a mageia mirror   
   (bash-4.2-49.1mga3.src.rpm) and compile it on your 2009.1 system.   
      
   >   
   > So, on a box with mandriva 2009.1 / kernel 2.6.39.4, I got the shell   
   > sources and all patches from gnu.org, applied the patches successively   
   > and configured and made the executable.   
      
   You do not tell use which source you got and which patches.  It is all   
   patches up to 49 --  bash42-049 that you need. Note that you need ALL   
   the patches, not just the last one.   
      
      
   >   
   > It can be invoked and does what it should, but unfortunately, before and   
   > after applying the patches and compiling, I always get as a   
   > result "vulnerable", when running the well-known test   
   >   
   > env x='() { :;}; echo vulnerable' bash -c 'echo hello'   
   >   
   > I tested this with different versions from 3.2 .. 4.3. but it's always   
   > the same.   
   >   
   > What's puzzling me even more, is, that I ran the above test on a redhat   
   > box, and after patching there appears no "vulnerable" any more, what   
   > means, the patch is valid. But, when downloading exactly this bash   
   > (2.05b) to my mandriva box, it runs, but there it shows "vulnerable"?!   
      
   What does this mean "downloading exactly this bash"?   
   And where did you put this bash. Are you sure you do not have an old one   
   lying around that you are actually using?   
      
      
   >   
   > Does anyone have an idea what could cause this misbehaviour?   
   > A shell is one big monolithic executable, which does not install dozens   
   > of libraries out of its rpm, isn't it?   
   >   
   > Thanks for any hint.   
   >   
   > Best regards,   
   >   
   > Markus   
   >   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)

[ << oldest | < older | list | newer > | newest >> ]