Just a quick question: Are we (the users of KAOS) also affected by this new virus called shellshock?

Thanks Michael,

I will check when I get home tonight.

Byebye

Make sure to update as soon as possible again, one more patch to fix the shellshock CVE was released, new bash is up in core for all users.

I noticed there was another bash update today is that still connected with shellshock or a "normal" update?

If you are on the repo, then yes another shellshock bash update, not moved to core yet, will be moved in a few hours. No use to rush anymore, all tests show KaOS is not vulnerable with previous bash updates. Now that bash is so much in the spotlight, many are helping with code, so seems better to test a little before moving to all users.

That makes sense and thank you for such a quick and detailed answer.

Awesome demm, got my new bash update.thank you very much.....please check my SMplayer post, please? I'm still having some minor issues there

Hi,

There is a very interesting read on ZDNet ( ) regarding the bash shellshock issue and how to check if one is running a vulnerable version.

Having already updated bash twice, in a bash window I ran the command created by Red Hat just to make sure I was on the safe side. See the following snippet:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

bash: warning: x: ignoring function definition attempt

bash: error importing function definition for `x'

bash: error importing function definition for `BASH_FUNC_x()'

test

$

According to the article, the above results mean that I have a version of bash that has the basic Shellshock patch, but it can still be attacked.

Moderator edit:

Merged with existing topic

Tried with bash from ?

Tried with bash in Konsole version 2.14.1 using KDE Development platform 4.14.1. Following snippet shows the 2 command lines created by Red Hat as referenced in the ZDNet article:

$ su

Password:

# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

bash: warning: x: ignoring function definition attempt

bash: error importing function definition for `x'

bash: error importing function definition for `BASH_FUNC_x()'

test

# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

bash: x: line 1: syntax error near unexpected token `='

bash: x: line 1: `'

bash: error importing function definition for `x'

date

cat: /tmp/echo: No such file or directory

#

Thanks for your reply.

Not the question :)

Did you try to use bash with patch-level 027, currently in the repo?

pacman -Q bash

No. I am running bash version 4.3.026-1

Just install with:

sudo pacman -U http://kaosx.us/repo/build/bash-4.3.027-1-x86_64.pkg.tar.xz

and run your test

Just installed bash version 027. Ran text as root in Konsole. Following are the results:

$ su

Password:

# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

test

# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

date

cat: /tmp/echo: No such file or directory

#

Bash update again today... It makes using OSS software feel so good when patches fly in like this :)

@snowdust I just ran that script with the latest update and the output is test, so I guess that vulnerability is now fixed.