Bash "Shell Shock" Vulnerability

[Ian McCoy]

Are there any plans to release a patch to address the Bash “Shell Shock” Vulnerability. Apparently, the MultiConnect OCG’s are vulnerable. I upgraded one of the my test assets to the latest CoreCDP version and ran the following test:

env X=”() { :;} ; echo busted” /bin/sh -c “echo completed”
env X=”() { :;} ; echo busted” which bash -c “echo completed”

Results:

busted
completed

Regards,

Ian

[Darrik Spaude]

Hi Ian,

The vulnerability affects versions 1.14 through 4.3 of GNU Bash. The OCG products have a vulnerable version of bash. We’re still working on what we need to do regarding this security vulnerability, but this product line should be in line for an update to resolve the vulnerability.

[Jesse Gilles]

Ian,

A fix has been committed to the CoreCDP git repository that updates bash to 3.2.54 and resolves the recent vulnerabilities.

http://git.multitech.net/cgi-bin/cgit.cgi/corecdp.git/commit/?id=5a9a1b6e0cfabaa591a63e8e637c3b03b806bd59

Are you building a custom image for your project?

Jesse

[Ian McCoy]

Jesse,

Thanks for the patch. Yes, I made a custom image. I have roughly ~500 of the OCGs in the field running corecdp-2.2.2. Can I create a *.ipk package to upgrade bash or do I need to flash a new image? Finally, will it play well with CoreCDP version 2.2.2?

Regards,

Ian

[Jesse Gilles]

Yes, you should be able to update it without flashing.

After building the updated bash, you’ll find the .ipk at:
build/tmp/deploy/eglibc/ipk/armv5te/bash_3.2-r14.10_armv5te.ipk

Once you get that onto a device by some means (SCP, SD card, etc), you can run ‘opkg install ‘ and it will install the updated package locally. After installing, ‘bash –version’ should show 3.2.54.

I don’t think you will have any issues running it on CoreCDP 2.2.2. If you do, please report back.

Jesse

[Author]

Posts