Hey, bash doesn't exist

We have a logo for Shellshock, as we did for Heartbleed. Thank you, bf5man.

Just as a personal wrapup to bashgate (bashbleed, shellshock?), I uninstalled bash from my FreeBSD boxes. My scripts could all be run with sh anyway, and I hadn't needed it for anything other than my cloud provider's context system, but that's for another post.

In doing so, I made one of my FreeBSD systems so secure, neither Clara or I could even log in! Tailing auth.log:

User X not allowed because shell /bin/bash does not exist
User Y not allowed because shell /bin/bash does not exist

One would be well served running chsh before removing your shell.

In any case, I'm using the system default tcsh again, and swapped it back on my Macs. Heck, I've even got it as my default shell on Debian (though isn't bash on that system just dash anyway?). I can still write tcshrc from memory :).

Incomplete bash code injection fix

The #bashbleed #shellshock fix we got yesterday was only a partial. CVE-7169:

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

Update bash on your boxes again, or if you can't, shut down SSH and block it with your firewall rules.

Also, don't reinstall bash on FreeBSD. Make tcsh your friend, as many on Twitter told me they have yesterday. It really is quite a nice interactive shell, and you've always got sh for scripts.

Bash code injection vulnerability

This is serious. Potentially worse than Heartbleed. CVE-2014-6271:

A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

Red Hat has a command you can use to test if you're vulnerable, along with some nice details.

Update bash on your boxes, or if you can't, shut down SSH and block it with your firewall rules.

On FreeBSD, uninstall it and make tcsh your friend again.

Happy Birthday Mummy

If she were alive today, she would be years old fabulous.

Caught up with my lovely sister in town to have dinner and celebrate her life. This year we talked about change, and all the things we'd eagerly tell her about if we could. Would Deb approve? (She hated, hated when people called her Deb, so naturally I always called her that).

There's still a part of me that expects to come home, walk into her bedroom and see her there with her espresso machine, vintage powder compact collection, mountains of artwork and a warm, cheeky smile behind a delightfully silly PG Wodehouse tome. She was really one of a kind, and, without any remorse for the cheesiness of the line I'm about to type, I feel so lucky to have known her not "just" as my mum, but as my best friend.

I love you. ❤

Converting vmdk version 3 images

So I needed to convert a VMware vmdk image to a raw disk image. Knowing qemu-img could do the task, I did as per normal:

# qemu-img convert -f vmdk -O raw image.vmdk export.img

Only to find:

qemu-img: 'image' uses a vmdk feature which is not supported \
    by this qemu version: VMDK version 3
qemu-img: Could not open 'image.vmdk': \
    Could not open 'image.vmdk': Wrong medium type
qemu-img: Could not open 'image.vmdk'
It then proceeded to tell me:
Ruben, you're devilishly handsome.

My computer may be a lousy liar, but at least she's nice. As for the earlier problem, the solution was to upgrade QEMU to 2.1.0. Running the command after this resulted in an image I could use.

As an aside, you you can even use this shorthand:

# qemu-img convert -O raw import.vmdk export.img