You're right. I downloaded the factory image from Google and unpacked it. No Bash in /system/xbin. Did the same with Cyanogenmod and -- yep -- there it is. Good call; I'll amend my earlier post.

http://www.vox.com/2014/9/25/6843949...-bug-explained

Also, there are installers for bash on android

https://play.google.com/store/apps/d...KcKsogTd8oCwAQ

Pretty sure bash isn't standard to android

Just checked on my HTC One running Android 4.4....bash wasnt found. Maybe its only in Cyanogenmod?

Codenomicon was the other entity. They have the best write-up. Amusingly, Codenomicon tripped over the vulnerability while they were working on improvements to their product that, uh, looks for vulnerabilities A Google researcher discovered it independenty, but I'm not finding any details about the circumstances -- whether the finding was a true code audit or some other process. Neither of these changes the fact that the vulnerable code was released in early 2012, enabled by default, and sat there on millions of web servers for two years.

Don't know the ratio, sorry.

I've never done such a thing!

Good idea -- done.

Apparently so. Not in the factory Android images from Google. Alternate ROMs may have it. Here's my Nexus 4, running Cyanogenmod snapshot M10, built from Android 4.4.4. You can see that Bash is part of this ROM:



Nope, these particular vulnerabilities exist only in Bash.

But that doesn't mean the other shells are free of potential vulnerabilities. Either no one's looked, or no one's reporting their findings.

We have a thread for 'shellshock' already: https://www.kubuntuforums.net/showth...A-new-BASH-bug

Should merge threads to avoid duplication.

Bring back tin-foil hat Linux!

Unless you are running some sort of a server facing the internet, then you are unlikely to need to worry about this, especially as the patches have been coming.
There is a fair bit of click-baiting on many websites about this, adding to the frenzy. And of course every single script-kiddie wannabe "hacker" is out there trying stuff out.











I went to grab my conspiracy-theory party hat, but it is a bit tattered and worn now

When I look in synaptic, I see both bash and dash are installed. (and also csh)

I read in the press that even after the patches bash is not totally in the clear.
Would Kubuntu still work when I remove bash ?
When I mark it for removal, I get a warning that it may make Kubuntu unusable.

anika200, your installation, if you haven't disabled auto update, was patched twice, once on the 25th and again on the 26th. Other shells are not affected. Kubuntu, btw, uses dash, not bash. Other apps may call bash so that is why it was quickly patched. That scare has mostly evaporated before the script kiddies or pro hackers could exploit it, although many began trying after the bug was announced. But, it was too late. Those who have done a standard install and disabled auto update are probably still vulnerable, as are those who still use "admin" for a name and "12345" for a password.

I am having trouble determining what version of bash I have installed or do I have both somehow?

If I do this:
And if I search with apt:

So... are dash, ksh or tcsh affected?

Hang on, wasn't the openssl bug found because Google and that other company did code audits?

Thanks for your description of how things work at Microsoft, it's interesting. What's the ratio of developers to testers?

I read once that security guys often pick through open source projects to get a few CVEs on their CVs, is that true?

So here's a little bit of truth that a lot of people either don't know or choose to ignore.

In the open source world, it's popular to claim "many eyes" help improve overall security. But, recently, the industry has seen two major instances of where this claim is demonstrably false: first Heartbleed, now Shellshock. Yes, the source code is visible for everyone to look at, but who's actually doing that? In the case of OpenSSL and Bash, apparently no one.

Here's what happens inside Microsoft. Developers work on code. There are several strict guidelines about safe and unsafe coding -- these came out of the Secure Windows Initiative in the early 2000s. Finished code is given to testers, whose primary job is to try to break stuff. Will they catch everything? Of course not. But they're good at what they do, they know how to think like bad guys, and the tools for finding vulnerable code have steadily improved over time.

How many open source projects have the luxury of individuals spending their full time on software quality and assurance?

Software testing is not a sexy job. Testers earn less than developers and (in some organizations) testers are viewed with disdain ("All that ******* does is call my {software | baby} ugly"). Testing is also more difficult than coding. Less sex + more work = fewer interested people. The industry needs to work on this perception, and raise the awareness and the reward structure of the QA aspects of software engineering.

My opinion here:
[rant]
The M$ product and its update system pale in comparison to the 'nix support system. I used M$ (past tense) and sold M$ (again, past tense). Please take no offense here, my comment was never intended to suggest that Linux security is somehow less diligent than "other" software varieties. RE your two options above, I regard them as true statements of how M$ works, however they are embedded in the M$ monolithic architecture and this does not (in my experience) work as well as the Linux system. I'm NOT tempted to compare them point for point (which would be kind of pointless, pun intended). From my experience, Linux works better because it is better.

Yes, as you note, every software has glitches and I no longer support the M$ system because the number and frequency of such problems was high. My comment: "Be glad this isn't Windoze..." is my advice to everyone. Enjoy the fact that we are able, allowed, and can afford to use Linux. If that sounds like I not being "fair" to the M$ product and system, then I confess, I am biased and proud of it...

This current vulnerability will be patched and it will be done quickly and publicly. I'm not sure I would claim that for an M$ problem... We now return control of your system to the program in progress: [/rant]