ehowton (ehowton) wrote,
ehowton
ehowton

SHELLSHOCK

Running no less than 7 different versions at home:


eric-howtons-power-mac-g5:~ root# bash --version
GNU bash, version 3.2.17(1)-release (powerpc-apple-darwin9.0)

ehowton@sles4sap:~/Desktop> bash --version
GNU bash, version 3.2.51(1) -release (x86_64-suse-linux-gnu)

[root@ehowton ~]# bash --version
GNU bash, version 4.1.2(1)-release (i386-redhat-linux-gnu)

ehowton@xenchunk:~$ bash --version
GNU bash, version 4.2.25(1)-release (x86_64-pc-linux-gnu)

ehowton@susevm:~> bash --version
GNU bash, version 4.2.42(1)-release (i586-suse-linux-gnu)

ehowton@suse4ext:~$ bash --version
GNU bash, version 4.2.45(1)-release (x86_64-suse-linux-gnu)

[/home/ehowton] ehowton@belanna: bash --version
GNU bash, version 4.3.22(1)-release (ia64-hp-hpux11.31)


And then something WONDERFUL HAPPENED! I discovered - for the first time ever - A FREAKING ONLINE SOFTWARE MANAGEMENT REPOSITORY FOR HP/UX! I was beside myself with joy and wonder! Check out this shiznit:

[/var/tmp/packages] root@belanna# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

[/var/tmp/packages] root@belanna# depothelper bash
===============================================================================
Package-version Comment Download Install
===============================================================================
ia64-11.31 Package list OK OK
bash-4.3.022 Uninstall old ver. N/A OK
bash-4.3.025 Requested OK OK
===============================================================================

[/var/tmp/packages] root@belanna# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

[/var/tmp/packages] root@belanna#

Magic.

Its called depothelper. Nice of them to roll this out now that Intel is no longer making Itanium chips and everyone is migrating to x86 linux. Oh well.

EDIT:

You can find it here: http://hpux.connect.org.uk/hppd/hpux/Sysadmin/depothelper-2.20/ (it says it downloads in .gz but just untar it). Even if you already have depothelper (v2.0) it no longer works, you need v2.2 and sadly you can't just # depothelper depothelper (I tried lol):

[/var/tmp/packages] root@belanna# depothelper bash
==================================================
Package-version Comment Download Install
==================================================
ia64_64-11.31 Package list Using cache OK
gettext-0.19.5 Uninstall old ver. N/A OK
gettext-0.20.1 Dependency (01/04) OK OK
libiconv-1.14 Uninstall old ver. N/A OK
libiconv-1.16 Dependency (02/04) OK OK
libunistring-0.9.10 Dependency (03/04) OK OK
readline-8.0.004 Dependency (04/04) Downloading...
Tags: hpux, linux, mac, unix
Subscribe
  • Post a new comment

    Error

    default userpic

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 0 comments