Friday, September 26



Ugh.  Another one?

We dodged Heartbleed because our SSL libraries were older than the bug, but this bug - dubbed Shellshock - is old enough to vote, and the affected program is Bash, the default shell on hundreds of millions of Linux and MacOS X systems all over the world.

Fortunately CPanel updated Bash to the patch release automatically, and Minx itself is designed not to use the shell, ever.  I went so far as to write my own file management library because the default Python library uses the shell to do its work.  I didn't know of this bug at the time, obviously, but passing data from the web to a shell script is fraught with fraughtness and I wanted no part in it.

I think we're safe.  But while this is quick and easy to patch, there are a huge number of potentially affected servers and some of them have reportedly already been hacked.  Be extra cautious for the next few days if anything looks out of place on the sites you visit.  Big names like Amazon are almost certainly safe; it's the little guys who don't have a full-time IT staff who need to scramble.

Well, and the IT guys themselves, which is why I'm up at 3AM.

Posted by: Pixy Misa at 03:06 AM | Comments (13) | Add Comment | Trackbacks (Suck)
Post contains 212 words, total size 1 kb.

1 Speaking of the file system.  Would it be possible to make it so that when we create a new directory, the proper templates are automatically filled in?

Posted by: Mauser at Friday, September 26 2014 06:32 AM (TJ7ih)


They always used to tell me that OpenSourceâ„¢ was a guarantee of quality and lack of bugs and exploits. With all the eyes looking it over, nothing bad could make it through, they said. (Eric Raymond, I'm looking at you!)

Posted by: Steven Den Beste at Friday, September 26 2014 08:55 AM (+rSRq)

3 Another forum I read was all over this today.  Most of the people there asserted "(essentially) nobody uses CGI these days so this isn't likely to be widespread."  I wonder if that's true.

Posted by: RickC at Friday, September 26 2014 11:01 AM (0a7VZ)

4 CGI isn't used much these days - but all it takes is one old script that you've forgotten about, and persistent scanning bot, and they're in.

Posted by: Pixy Misa at Friday, September 26 2014 12:38 PM (PiXy!)

5 When they say "isn't used much", they almost always mean "for brand-new projects". There's all sorts of hairy old Production code out there with do-not-touch signs attached. There are several big companies who'd be happy to hire me because I know old Perl.

In this case, though, it doesn't matter. The most modern, spiffy web framework in the world might be running in a scripting language where system() calls out to the shell with an unsanitized environment, and then boom!

Many years ago I did much the same as Pixy when I was writing a secure-execution wrapper for student operators. "I can't think of anything nasty that you could do by passing the user's environment variables through, but just in case, I'll create a fresh, blank environment and pass just the ones I like". Six months later, there was a bug about overriding shared libraries through environment variables...


Posted by: J Greely at Friday, September 26 2014 02:57 PM (1CisS)

6 Just a caution, I dunno if you caught the update to that article (or the various CERT notices), but the first official fix for the vulnerability was flawed and either introduced something new or did not fix the entire problem.  There is apparently an unofficial patch out (and being tested, I guess), but no official patch yet.

Posted by: ReallyBored at Saturday, September 27 2014 02:59 AM (n3V1X)

7 Yeah, I already applied the second patch, and it sounds like there's going to be at least one more.  Yech.

Posted by: Pixy Misa at Saturday, September 27 2014 05:35 PM (2yngH)

8 Spam continues to make The Pond sad, Pixy... there's three examples in my comments queue to look at, if it helps, but I'm getting 200+ spams at a shot, three or four times a day.


Posted by: Wonderduck at Wednesday, October 01 2014 07:04 AM (BCjxQ)

9 One more seems...optimistic.  CERT just dumped 2 more "previous fix was incomplete" alerts out and added 2 more separate (but slightly less ugly) alerts.

Posted by: ReallyBored at Wednesday, October 01 2014 12:17 PM (n3V1X)

10 Pixy, I just had to delete 30 pages worth of spam from the Pond's comment section.  Same stuff that's been plaguing me for the past however long it's been...


Posted by: Wonderduck at Sunday, October 12 2014 06:15 AM (BCjxQ)

11 I'll set them on fire.  And also update the spam filter.

Posted by: Pixy Misa at Wednesday, October 15 2014 12:13 AM (PiXy!)

12 Ooh, yes, I like that idea.  Fire and spam goes well.

Posted by: Wonderduck at Wednesday, October 15 2014 01:46 PM (BCjxQ)

13 Your putting them to the torch appears to have made a difference, Pixy... instead of 30 pages of spam every few hours, I'm getting two or three spam comments total per day.

Thank you!

Posted by: Wonderduck at Thursday, October 16 2014 07:49 PM (BCjxQ)

Hide Comments | Add Comment

Comments are disabled.
50kb generated in CPU 0.0166, elapsed 0.6276 seconds.
56 queries taking 0.6181 seconds, 345 records returned.
Powered by Minx 1.1.6c-pink.