[Flipside]

No, not the bending thing.

http://www.bbc.co.uk/news/technology-29361794

Basically, there seems to some kind of security hole that allow people to remotely access a large percentage of Linux and Apple based computers with moderate ease. Seems to be centrered around something called Bash, but as a non-Unix/Apple owner, my knowledge of the details stop there.

There is, apparently, a patch for it here :

https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability

[Nuke]

i want to say bash is the *nix equivalent of cmd.exe or command.com. which means its essentially a gaping hole in the os.

[ngld]

I just want to add that this is only exploitable if an attacker can actually set environment variables which only happens in the following circumstances:

• The attacker has SSH access. This is most likely the biggest problem for Git servers (see GitHub) because they have to give (restricted) SSH access to all users. In almost every other case only server admins get SSH access.
• The web server runs CGI scripts (i.e. cgi-bin/... is part of the URL).
• Some other application sets environment variables with untrusted user data. This should be pretty rare.

So... while this vulnerability is critical it's difficult to exploit in most cases. Most targets will be web servers which still use php in CGI mode or Git servers. The web server admins should either switch to mod_php (Apache module) or use PHP in FastCGI mode to solve the problem. I'm not sure how to mitigate the Git server issues or the CGI scripts (i.e. Bugzilla).

The patch only fixes a part of the vulnerability: https://isc.sans.edu/diary/Update+on+CVE-2014-6271%3A+Vulnerability+in+bash+%28shellshock%29/18707

[Phantom Hoover]

This is also, to be clear, very much a server issue, not a desktop one. It's a very serious server issue, but unless you're running web services like the ones ngld mentioned it won't work.

[Flipside]

Understood, I knew nothing about the nature of the problem, just the fact there was a potential risk, so it's good to see people explaining it more fully.

[Luis Dias]

Tom:

[Phantom Hoover]

What's kind of amazing and/or terrifying here is that bash is 25 years old and this bug has apparently been there since the beginning.

[pecenipicek]

i find the way this has been sensationalistically covered annoying. there will be fun at work tomorrow.

[Phantom Hoover]

Wait, no, this totally can affect desktop systems. dhcp-client is vulnerable too, apparently.

[pecenipicek]

Wait, no, this totally can affect desktop systems. dhcp-client is vulnerable too, apparently.

from what i gather, anything that can/does spawn a subshell and can set enviroment variables is. which is a very, very, very large amount of things.

[ngld]

Yes, but most programs don't put data from a remote connection in these environment variables. It isn't enough if the program can set an environment variable, it actually has to set it to a specific value (which the attacker supplies). There aren't that many programs which do that.
I guess the most important ones are OpenSSH (any authenticated user can set env vars), Webservers (only if they run CGI scripts) and deamons like dhcp-client which run shell scripts as hooks and supply data from a remote party using environment variables.

[Ghostavo]

This is some serious serious ****.

[ngld]

I'm not sure where dhclient's script file is but if you're using dhcpcd you can edit /usr/lib/dhcpcd/dhcpcd-run-hooks and replace the first line with "#!/bin/dash". You need to install dash if it isn't already installed but then you're safe from shellshock (over DHCP at least).