We have moved to a new Sailfish OS Forum. Please start new discussions there.
27

[BUG] Jolla bash shell is affected by the #shellshock bug [answered]

asked 2014-09-25 10:03:18 +0300

Bundyo gravatar image

updated 2014-09-25 10:09:30 +0300

Any ETA for a fix? Pretty nasty vulnerability this is :)

http://prng.net/shellshock/

edit retag flag offensive reopen delete

The question has been closed for the following reason "the question is answered, an answer was accepted" by eric
close date 2014-09-25 18:16:56.130262

Comments

3

I would be great to have this fixed with the upcoming 1.0.9.x update :)

Louis ( 2014-09-25 10:10:08 +0300 )edit
1

Any instructions to recompile bash with basic *ux skills as an workaround would be helpful to fellow sailors NOT developing with SDK daily.

Just did it for my MacOs X, good instructions there: http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271/146851#146851

Jiikoo ( 2014-09-25 10:10:21 +0300 )edit

Jiikoo: Are you sure recompiling bash on SailfishOS on your own is a good idea? It could mess up your system especially when next update will be released and some core apps are custom compiled outside the package manager.

Louis ( 2014-09-25 10:21:38 +0300 )edit

Louis: Well, doing it all the time in my *ux boxes. Let me first re-phrase: "Instructions to compile & package patched bash-package, which could be later replaced by official bash package during next OS update." I have to admit I'm not familiar to SailfishOS peculiarities, but I would assume bash is an atomic executable that could be patched temporarily with small risk of messing other apps. At least I'm more willing to take that risk instead of taking any security risk - but that is of course a matter of personal preference.

Jiikoo ( 2014-09-25 10:28:48 +0300 )edit
3

I read on IRC that this will be tentatively fixed with update 9 (from Aard)...

pat_o ( 2014-09-25 10:50:52 +0300 )edit

2 Answers

Sort by » oldest newest most voted
30

answered 2014-09-25 16:05:35 +0300

Aard gravatar image

Update 9 will contain fixes for:

  • CVE-2014-7169
  • CVE-2014-6271
  • CVE-2014-1568

I'd appreciate if people would stop finding critical issues in core components just when we're about to wrap up for releasing ;)

edit flag offensive delete publish link more

Comments

2

Yes, indeed, I was about to comment it must be hard to have the SSL heartbleed bug revealed a couple of days before release and now this one in bash :P That's the price to pay I guess for frequent updates!! Keep up the good work!

cquence ( 2014-09-25 16:36:52 +0300 )edit

They're not done with fixing this issue ... http://seclists.org/oss-sec/2014/q3/734

max ( 2014-09-26 12:06:18 +0300 )edit

Is it really too much to ask to have out-of-cycle patches for CRITICAL OMGWTF-level vulnerabilites like this one? I'm really disappointed that the release schedule has anything to do with fixing urgent issues.

bart ( 2014-09-27 01:06:30 +0300 )edit
27

answered 2014-09-25 10:51:31 +0300

stezz gravatar image

Thanks for the report. We are working to include this fix in next release.

Please next time also send the report to security@jolla.com which is meant for this kind of issues.

edit flag offensive delete publish link more

Comments

2

I think it is fair to expect that people in Jolla would have organized vulnerability management professionally, and issue advisories to like https://lists.debian.org/debian-security-announce/ and all other seriousl distros. Security community has been all over this issue last 24 hours, please do not say you found out this issue 5 mins ago? I trust not, you just didn't have time to communicate this to the community, right?

Jiikoo ( 2014-09-25 10:59:45 +0300 )edit
1

Jiikoo, unlike other projects like Debian Jolla to my knowledge does not have a complete public roadmap over upcoming features and fixes. Therefore many together tickets will get replays like this "where already aware and working on it for an upcoming release".

Louis ( 2014-09-25 11:08:34 +0300 )edit

Louis, I get that. But why not give workaround instructions instead, 'cause I'd expect a lot skillful sailors that that could benefit from that?

Jiikoo ( 2014-09-25 11:11:52 +0300 )edit
3

Jiikoo I guess that Jolla (like Apple) is more focused on preparing software updates for the average user than providing geeks with instructions for temporary updates that could mess stuff up badly if preformed wrong.

Louis ( 2014-09-25 11:34:03 +0300 )edit

I don't think Apple provides geeks with anything else than what is in the box/update :)

Bundyo ( 2014-09-25 13:16:39 +0300 )edit

Question tools

Follow
5 followers

subscribe to rss feed

Stats

Asked: 2014-09-25 10:03:18 +0300

Seen: 1,617 times

Last updated: Sep 25 '14

Related questions

[Fixed in 1.0.3.8] Crash when linking contacts? [not relevant]

Time slider usage in video player of Gallery app causes the app to hang [duplicate]

QAudioOutput isn't integrated with system volume and libresource like QMediaPlayer

Bug: E-Mail synchronization does not work as configured [released]

Word prediction should be always turned off when entering passwords in Android apps [released]

[Implemented in 1.0.3.8] Poor Polish translation in Sailfish Twitter event feed makes ugly UI issue [answered]

Don't enforce focus to textfield [answered]

[Implemented in 1.0.3.8] Email: Honour Reply-To header [answered]

Bug: Having to delete e-mails twice [answered]

Bug: Virtual keyboard stuck on top of applications

Copyright © Jolla Ltd. 2013-2019. All rights reserved.
about | faq | help | privacy policy | terms of service | give feedback
Powered by Askbot version 0.7.49