No time to program today, updating all my linux machines instead.
I only caught a glimpse of it, but is there already a fix out for it?
Yes, Maybe? Depending on your vendor you will have a patch. The first series of patches to bash itself only stopped a subset of the issue, I believe bash now has a second set of patches to fully fix the issue. I know that yesterday RedHat applied custom patches to bash that fixed both use cases before bash upstream did.
The real problem is that numerous exploits have been discovered in the wild as it is horribly easy to write them.
Oh thank god
Just dodged a bullet
Our embedded platforms are using ash from busybox.
No time to program today, updating all my linux machines instead.
I only caught a glimpse of it, but is there already a fix out for it?
Yes, Maybe? Depending on your vendor you will have a patch. The first series of patches to bash itself only stopped a subset of the issue, I believe bash now has a second set of patches to fully fix the issue. I know that yesterday RedHat applied custom patches to bash that fixed both use cases before bash upstream did.
The real problem is that numerous exploits have been discovered in the wild as it is horribly easy to write them.
Oh thank god
Just dodged a bullet
Our embedded platforms are using ash from busybox.
If a vulnerability was ever discovered in busybox though, I would be so far up the creek it's not even funny.
Half our customers wouldn't even consider upgrading/patching their devices, because "Hey, it already works, right? Why patch something that already works?"
Luckily, most of them won't connect our devices up to the internet, but man...
So with all this bashing going on, good luck folks.
Question on other things though. Anyone know of a way to compile a .java file to .class file without installing the jdk? I'm on a computer where JDK is not installed and I can't install. If not, I will just check my program tonight when I get home, but I'm writing it in onedrive (which recognizes java files!) but cant test.
So with all this bashing going on, good luck folks.
Question on other things though. Anyone know of a way to compile a .java file to .class file without installing the jdk? I'm on a computer where JDK is not installed and I can't install. If not, I will just check my program tonight when I get home, but I'm writing it in onedrive (which recognizes java files!) but cant test.
I'm guessing not. Can you not download the .zip of the JDK instead of running the installer? There's got to be a way to do that instead, right?
I think the real question is: why is a shell ever exposed externally?
The fun part is that it doesn't really have to be.
ssh -o SendEnv=CraftedEnvFromSystem user@ip
Since the OpenSSH server sets up the environment before handing over to the shell (but at least after authentication), you could possibly break in to the system on any user with a shell set to BASH and run commands that normally would not be allowed.
This of course requires the server you're connecting to to be set up stuipidly to accept remote user environments, but the POC is pretty simple. Even if that is closed, you can craft various ForceCommand directives to SSH as well.
Except isn't this pretty irrelevant? If you have to be authenticated, then you're already a shell user in the first place, with shell user privileges.
It wouldn't work for any other shell then bash (i.e. git-shell or something).
why would it set it in the server process? it's for the session...
but I'm not sure certain git-shell and friends are safe anyway, since providing a command to ssh manually invokes it via the shell (or at least, it ended up using the shell builtin when I tried it with "echo"), and I wouldn't be surprised if authorized_keys does the same
(I should note, in my gitlab install at least, it still uses /bin/sh as the shell user, and overrides using command= in authorized_keys. I don't think it's actually touching the user's shell though, just always uses /bin/sh for commands, since I tested via my own authorized_keys and still hit the shell builtin)
End on
I wish that someway, somehow, that I could save every one of us
So with all this bashing going on, good luck folks.
Question on other things though. Anyone know of a way to compile a .java file to .class file without installing the jdk? I'm on a computer where JDK is not installed and I can't install. If not, I will just check my program tonight when I get home, but I'm writing it in onedrive (which recognizes java files!) but cant test.
I'm guessing not. Can you not download the .zip of the JDK instead of running the installer? There's got to be a way to do that instead, right?
I can look for that. I'm thinking of getting a portable as It seemed there was an option for that. I love portable apps. I was able to get a lot done using that web site, was just painful. I had to edit my .java, copy and paste, execute, repeat.
I don't know if I program right, but I make minor changes, test, repeat. I don't like to make large swaths of changes when righting.
So yeah, typical compose methods, like Clojure and most js libs are right associative. compose(a <- b);
Transducers.js port from the new Clojure stuff is left associative for some reason. compose(a -> b);
I'm pretty sure this is just to fuck with JS people.
Trying to right wrongs that were never wrong to begin with. Although to be fair, in math, there is both a right-to-left compose operator g ∘ f and a left-to-right compose operator f ; g.
@TwitchTV, @Youtube: master-level zerg ladder/customs, commentary, and random miscellany.
So with all this bashing going on, good luck folks.
Question on other things though. Anyone know of a way to compile a .java file to .class file without installing the jdk? I'm on a computer where JDK is not installed and I can't install. If not, I will just check my program tonight when I get home, but I'm writing it in onedrive (which recognizes java files!) but cant test.
I'm guessing not. Can you not download the .zip of the JDK instead of running the installer? There's got to be a way to do that instead, right?
I can look for that. I'm thinking of getting a portable as It seemed there was an option for that. I love portable apps. I was able to get a lot done using that web site, was just painful. I had to edit my .java, copy and paste, execute, repeat.
I don't know if I program right, but I make minor changes, test, repeat. I don't like to make large swaths of changes when righting.
I prefer smaller changes myself. Would rather have to troubleshoot 20 lines of code than 200 lines of code. But that's just me. The other guys hate me because I make a bunch of commits and deployments.
I think the real question is: why is a shell ever exposed externally?
The fun part is that it doesn't really have to be.
ssh -o SendEnv=CraftedEnvFromSystem user@ip
Since the OpenSSH server sets up the environment before handing over to the shell (but at least after authentication), you could possibly break in to the system on any user with a shell set to BASH and run commands that normally would not be allowed.
This of course requires the server you're connecting to to be set up stuipidly to accept remote user environments, but the POC is pretty simple. Even if that is closed, you can craft various ForceCommand directives to SSH as well.
Except isn't this pretty irrelevant? If you have to be authenticated, then you're already a shell user in the first place, with shell user privileges.
It wouldn't work for any other shell then bash (i.e. git-shell or something).
Well yeah, except it provides a way for users to bypass any ForceCommand directives setup in sshd_config. So a user that is only supposed to be able to run, I dunno, git commands or whatever, would now be able to run any executable on the system they had permissions for. It isn't nearly as bad as the CGI exploits going around based on this, but it is a significant attack vector.
0
Options
mightyjongyoSour CrrmEast Bay, CaliforniaRegistered Userregular
Hooray, the v2 patch for Fedora is out now. Is the v2 patch the final one (for now)?
I'm between projects right now, so I figure I should finally do the home site revision I wanted to do for the last, oh, 2+ years. It's pretty stupid to be like, "Hey, I'm a freelancer! Hire me!" if I don't actually have a website that's up and running at the moment. I haven't touched ASP.NET MVC in a few years, and I really like C#, and I have some free Azure space, so I'm just like, "Fuck it, I might as well learn about the cloud and shake the rust off my Microsoft skills."
Now, my old, horrible homesite is on GitHub, and I used GitHub for Windows to transfer over a local copy. I have my new project working with Git locally, but when I try to push, it gives me an error about how it can't do it because there's a remote branch with the same name as a local branch. Well, duh. That's how VCS works. So, apparently, VS 2013 will only push if the branch was created through it. Otherwise, it won't. Which is moronic.
Basically, zsh isn't vulnerable itself, but just because your shell is zsh doesn't mean things don't use bash all the time.
"I resent the entire notion of a body as an ante and then raise you a generalized dissatisfaction with physicality itself" -- Tycho
0
Options
gavindelThe reason all your softwareis brokenRegistered Userregular
I learned how to use Git this week for my senior design project. It is hard to fight the irrational fear that I will accidentally overwrite everything the first time I click "commit".
On the other hand, it is quite a bit more elegant than sharing a google document.
i've been fucking around with HSV color interpolation on and off for weeks and I realized that the reason I was never getting good results is because my shading algorithm was much with the borked
finally fixed all that, so I am going back to the HSV later on... although I'm not sure it's purely necessary. It's good enough now to take a video so I will this weekend
+2
Options
BrocksMulletInto the sunrise, on a jet-ski. Natch.Registered Userregular
I don't suppose this is the place to talk about a Blue Screen of Death, is it?
Posts
https://itunes.apple.com/us/book/id881256329?mt=11
Oh thank god
Just dodged a bullet
Our embedded platforms are using ash from busybox.
*phew*
You are lucky.
If a vulnerability was ever discovered in busybox though, I would be so far up the creek it's not even funny.
Half our customers wouldn't even consider upgrading/patching their devices, because "Hey, it already works, right? Why patch something that already works?"
Luckily, most of them won't connect our devices up to the internet, but man...
Apparently there still is some related vulnerability that is not patched yet though?
so version 1 handles:
env var='() { ignore this;}; echo vulnerable' bash -c /bin/trueand version 2 handles:
env X='() { (a)=>\' sh -c "echo date"; cat echoWoops you are correct it looks like version 2 isn't ready yet.
Question on other things though. Anyone know of a way to compile a .java file to .class file without installing the jdk? I'm on a computer where JDK is not installed and I can't install. If not, I will just check my program tonight when I get home, but I'm writing it in onedrive (which recognizes java files!) but cant test.
it doesn't need to be exposed directly
Consider a CGI script that fork/execvs a shell script. That shell script would get all those HTTP_* environment variables.
Luckily, even CGI scripts have been on their way out for a long time anyway.
I'm a bit puzzled with what/why bash is even doing with those environment variables where this came up though
http://www.jdoodle.com/
But, strangely, I'm still doing this.
Environment variables are a horrible way to transfer that information! And shell scripts shouldn't be providing web services!
I'm guessing not. Can you not download the .zip of the JDK instead of running the installer? There's got to be a way to do that instead, right?
Except isn't this pretty irrelevant? If you have to be authenticated, then you're already a shell user in the first place, with shell user privileges.
It wouldn't work for any other shell then bash (i.e. git-shell or something).
but I'm not sure certain git-shell and friends are safe anyway, since providing a command to ssh manually invokes it via the shell (or at least, it ended up using the shell builtin when I tried it with "echo"), and I wouldn't be surprised if authorized_keys does the same
(I should note, in my gitlab install at least, it still uses /bin/sh as the shell user, and overrides using command= in authorized_keys. I don't think it's actually touching the user's shell though, just always uses /bin/sh for commands, since I tested via my own authorized_keys and still hit the shell builtin)
assuming there isn't some dumb pam module involved, the only shell involved is going to be the user's long after you've assumed the user's id anyway
the only problem ssh has is (probably?) restricted shells where you wouldn't already get dropped into a real shell
I can look for that. I'm thinking of getting a portable as It seemed there was an option for that. I love portable apps. I was able to get a lot done using that web site, was just painful. I had to edit my .java, copy and paste, execute, repeat.
I don't know if I program right, but I make minor changes, test, repeat. I don't like to make large swaths of changes when righting.
compose(a <- b);
Transducers.js port from the new Clojure stuff is left associative for some reason.
compose(a -> b);
I'm pretty sure this is just to fuck with JS people.
"If you're going to play tiddly winks, play it with man hole covers."
- John McCallum
Trying to right wrongs that were never wrong to begin with. Although to be fair, in math, there is both a right-to-left compose operator g ∘ f and a left-to-right compose operator f ; g.
I actually have a client project with a mission critical bash script of the several hundred line variety
I don't think bash has really changed in 20 years.
I prefer smaller changes myself. Would rather have to troubleshoot 20 lines of code than 200 lines of code. But that's just me. The other guys hate me because I make a bunch of commits and deployments.
Well yeah, except it provides a way for users to bypass any ForceCommand directives setup in sshd_config. So a user that is only supposed to be able to run, I dunno, git commands or whatever, would now be able to run any executable on the system they had permissions for. It isn't nearly as bad as the CGI exploits going around based on this, but it is a significant attack vector.
I'm between projects right now, so I figure I should finally do the home site revision I wanted to do for the last, oh, 2+ years. It's pretty stupid to be like, "Hey, I'm a freelancer! Hire me!" if I don't actually have a website that's up and running at the moment. I haven't touched ASP.NET MVC in a few years, and I really like C#, and I have some free Azure space, so I'm just like, "Fuck it, I might as well learn about the cloud and shake the rust off my Microsoft skills."
Now, my old, horrible homesite is on GitHub, and I used GitHub for Windows to transfer over a local copy. I have my new project working with Git locally, but when I try to push, it gives me an error about how it can't do it because there's a remote branch with the same name as a local branch. Well, duh. That's how VCS works. So, apparently, VS 2013 will only push if the branch was created through it. Otherwise, it won't. Which is moronic.
A relevant fyi about zsh (I prefer fish shell, but certain things at work make it hard to replace zsh with fish, so I stick with zsh)
https://superuser.com/questions/816622/does-the-shellshock-bug-affect-zsh
Basically, zsh isn't vulnerable itself, but just because your shell is zsh doesn't mean things don't use bash all the time.
On the other hand, it is quite a bit more elegant than sharing a google document.
Legends of Runeterra: MNCdover #moc
Switch ID: MNC Dover SW-1154-3107-1051
Steam ID
Twitch Page
finally fixed all that, so I am going back to the HSV later on... although I'm not sure it's purely necessary. It's good enough now to take a video so I will this weekend
Steam: BrocksMullet http://steamcommunity.com/profiles/76561197972421669/
Not particularly, but usually, BSoDs nowadays tend to be symptoms of hardware failure, as opposed to crappy software/drivers...
Edit: But feel free to post more details.
The worst that'll happen is that we'll all go Pop? on your post because we have no idea, and the hardware may have popped or something.