IRC Logs for #crux-devel Thursday, 2014-09-25

diverseso have you guys thought about that 3.1.1 iso?00:47
*** jaeger has joined #crux-devel01:42
jaegerThat thread on oss-sec about bash was impressive02:01
diversethe bash exploit must be a really huge deal then?02:04
jaegerbig enough to be a pain02:05
diverseso does it affect you when you run it as a shell or when excuting it as an interpreter to a shell script?02:06
diverseor both?02:06
jaegerseems like both02:06
diverseouch02:06
diverseso I'm still affected even if I use zsh shell as my default shell02:08
*** mavrick61 has quit IRC02:48
*** mavrick61 has joined #crux-devel02:49
*** dwts has quit IRC03:18
*** dwts has joined #crux-devel03:26
*** Workster has joined #crux-devel04:21
teK__diverse: only if you ran bash somewhere and, obviously doing ./somescript.sh does not really count ;)07:47
teK__08:14 < csoghoian> MT @octal: Scariest thing about #bashpocalypse is dhcp. I for one have zero interest in dhcping on any untrusted networks for a long time.07:47
teK__;)07:47
teK__and it begins..08:31
teK__@stevelord: Oooh nice VMWare Fusion privesc using #bashbug in #metasploit: https://t.co/z863CEkKyN <github.com/rapid7/metaspl…>08:31
Romsterwhats up with vtty1 when you use startx xorg-server is on F1 now and not F7?08:35
frinnsthow do you launch X? startx?09:03
frinnstI read that the last update to xorg-server changed this but i dont experience on any of my systems with slim09:03
Romsterjust startx at the prompt09:07
Romsterand it now runs on vtty1 than vtty7 now09:07
Romstervtty1 usaed to be the debug output09:08
frinnsthttps://www.archlinux.org/news/xorg-server-116-is-now-available/09:11
RomsterX is now rootless with the help of systemd-logind,09:17
Romsteryeah read that but we don't use systemd09:18
Romstersays nothing about vtty7 yo vtty109:18
frinnstwoah, top changed quite a bit with the latest update09:18
frinnstRomster: iirc, there was a commit mentioning it in a 1.16.99x beta09:19
teK__s-top-htop-09:23
*** xetver has joined #crux-devel10:58
teK__frinnst: with a patched bash:13:56
teK__X='() { (a)=>\' bash -c "echo date"13:56
teK__check with: cat echo13:56
frinnstyeah, its still a bit fucked14:06
frinnsthttp://seclists.org/oss-sec/2014/q3/69014:12
frinnstmight be worth looking into replacing bash as /bin/sh for 3.214:17
frinnsti ran dash as /bin/sh for a while a couple of versions ago, no issues then14:18
jaegerI've run into problems using dash (not fully POSIX-compliant)14:18
jaegernot very common, though, most users could do it without trouble14:18
frinnstoh? i thought it was14:19
jaegerI'm trying to remember what the problem was, it was something kinda obscure14:19
jaegerHad to switch a couple ubuntu servers to use bash by default but it was only those, not everything14:19
frinnstyou sure it wasnt the other way around? the script required some non-posix stuff?14:21
frinnsthttps://wiki.ubuntu.com/DashAsBinSh14:21
jaegerI'm positive but unfortunately it was a long time ago14:22
jaegermaybe it's been fixed now14:22
frinnst DASH is a POSIX-compliant implementation of /bin/sh that aims to be as small as possible. It does this without sacrificing speed where possible. In fact, it is significantly faster than bash (the GNU Bourne-Again SHell) for most tasks.14:22
frinnstyeah i guess14:22
jaegerWorth looking into, I don't mean to bag on it14:23
frinnstdebate is always good14:31
jaegerI remember now at least the servers on which I had to do that. They were XNAT (tomcat webapp) servers14:31
jaegerThe XNAT setup stuff barfed on dash so maybe you're right that it could have been the script's fault, not dash's14:32
frinnstyeah i've had #!/bin/sh scripts that should have been #!/bin/bash14:32
jaegerunrelated to that, wireshark seems to depend on qt but not include qt in its deps14:33
jaegerI thought it was gtk-only, is that new?14:33
frinnstyeah they abandoned gtk a while back. remember reading about it14:34
teK__frinnst: replacing / remocving the bashism has been a long standing bug with jue refusing (somewhat) the priorirty of this14:34
jaegerah, yeah, --with-qt is default now14:34
jaegerpersonally I haven't thought in the past that replacing bash with something else is worth the effort14:35
jaegereven now I don't, really. software has bugs, they fix them (hopefully)14:35
frinnstindeed, changing from bash because of the bug is not a good reason14:35
jaegerteK__: are you still building wireshark with gtk or should that be changed to depend on qt?14:35
teK__at least I didn't change a thing in that department14:36
teK__so I guess it's gtk.14:36
teK__why?14:36
frinnstfinddeps wireshark -> qt414:37
teK__duh :P14:37
jaegerbecause the build bitches now if you don't have qt installed14:37
jaegermight work with --with-qt=no, I haven't tried that14:37
jaegerwill test14:37
jaegerheh, adding --without-qt causes it to complain that neither gtk nor qt are installed.14:38
jaegerGTK is installed14:38
frinnstgtk3 too?15:04
jaegernot on that machine, just gtk215:08
jaegerafter I installed qt4 then wireshark bitched that gtk3 isn't installed :D15:14
jaegerI guess it wants both by default15:14
jaegerwith both installed, the wireshark executable did not link against qt, interesting15:26
jaegerif qt4 is then uninstalled and I add --without-qt, the build fails with the same message about neither qt nor gtk being available16:00
teK__holy cow18:28
jaegeryeah, bit weird.18:28
teK__btw.. if I was running xen, I'd be deeply disturbed :P18:29
jaegeryeah, xen's been all over oss-sec lately :)18:30
teK__and aws has been all over rebootin18:31
teK__:D18:31
jaegerheh18:32
frinnstheh, xen is always releasing security fixes :)18:32
teK__hehe, ok18:33
frinnsthttp://i.imgur.com/BPGsKbc.jpg18:33
teK__\o/18:39
teK__"there, I fixed it"18:39
teK__https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/18:43
teK__how easy can itget? :|18:44
nrxtxteK__: don't think about all the cgi wrappers around passing get parameters as environment variables :D19:30
teK__my links owns youbefore you really entered the network..19:40
nrxtxuh what did i miss? :D19:51
nrxtxteK__: do you have a spice-vdagent pkgfile around?20:09
teK__no20:10
*** nrxtx has joined #crux-devel20:32
*** novak has quit IRC22:43
*** novak has joined #crux-devel22:45
Romsteri've asked years ago why we havne't used dash22:54
*** novak has quit IRC23:22
*** novak has joined #crux-devel23:27
*** novak has quit IRC23:36
*** novak has joined #crux-devel23:38

Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!