Replicant

Hi,

There is an utility in f-droid to check for the vulnerability.
If you use it it'll tell that we're affected.

Do you know what do or can use bash in Replicant or f-droid?

I guess busybox or toolbox's shells are the ones that are used by default by almost everything.

Denis.

You mean this tool for sure: https://f-droid.org/repository/browse/?fdfilter=shellshock&fdid=in.indiandragon.shellshock.shellshockvulnerabilityscan
The problem with this tool is:
- that it checkes one single vulnerability (CVE-2014-6271) (http://blog.indiandragon.in/2014/10/shellshock-vulnerability-in-android.html) and
- after I manually (and temporarily) switched to the patched BASH over the CWM flashable zip file:
https://dl.dropboxusercontent.com/s/zbed1om7hgb5iqb/Bash-signed.zip?dl=0
Source: http://forum.xda-developers.com/android/software-hacking/dev-lastest-bash-android-t2898295
this tool still says, that I'm vulnerable with my new BASH version.

The last point is strange, because I've manually tested the Replicant built in BASH with that (CVE-2014-6271)-exploit over the Terminal Emulator app:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
which was vulnerable, and after the replacement to the patched BASH, I definitely verified, that I'm not vulnerable to this exploit anymore, (with exactly the same test of course)...
Source & exploits for the other CVEs: https://shellshocker.net/

The commits from CyanogenMod cannot be fetched (even though they show up on the github website), please provide commits I can include directly in Replicant.

I don't like the idea of updating components versions, it makes things hard to maintain, so I prefer to backport patches (i.e. I want updates to be only security-related, not features-related). If there is no other way, I will consider bumping the version, but please try to find a way for me to integrate those patches in the current code.

Nevermind, I found a way to export the patches: https://github.com/CyanogenMod/android_external_bash/commit/027626f9f273edf1c435c223f93768ec6dcc5301.patch

Note that the applications still says that it is vulnerable, but it may just be checking the bash version, which didn't change since I just backported the patches.

I tried with the script from: https://shellshocker.net/

Results on the 0002 images:

CVE-2014-6271 (original shellshock): VULNERABLE
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): VULNERABLE
bash: line 39: cd: /tmp: No such file or directory
CVE-2014-7169 (taviso bug): VULNERABLE
bash: line 50:  4872 Segmentation fault      bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2> /dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

Results with the current repositories:

CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
bash: line 39: cd: /tmp: No such file or directory
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable