Some of you may have read the headlines reporting of a newfound bug in most *nix systems (which includes Linux, MacOS, Android) that may open systems to vulnerable exploit.
As I understand it, no Android device has a bash shell installed by default. But since the FP is rooted, and clearly a lot of FP users like prodding the system, some of you may have installed a bash shell app. If you’re among them, I guess it is prudent to take caution and patch your batch package.
It would be great if someone more savvy could confirm that ‘ordinary users’ have no reason to worry.
Greetings from Karl (who has patched his Linux netbook…)
Hi madde and thanks for the input. Yup, I found a patched bash package on a reliable repo out there (I’m on a slackware-based distro) and after installing the test script shows that I’m protected.
Found this information for Fedora users:
there are patched bash package updates available for F19, 20, 21.
But I still wonder if the vulnerability affects a stock Android install? Is there a hidden bash shell behind the curtains? Or does this only affect Android users who have installed a bash shell app?
bash $ bash --version
should output GNU bash, Version [...]
(Android) Terminal Emulator App
The Terminal Emulator App ships with /system/bin/sh - as default shell (tested with version from F-Droid). So it emulates mksh. You can
find the used shell in the preferences.
Thank you @Dominik for clarifying this. I did not know that there were more than one shells.
@kgha I tested the command env but it wasn’t found by the shell. So I think it does not work with mksh. On the other hand it tells me that Cyanogenmod uses bash and is vulnerable. Is that right? (@madde)
Yes, it’s a relief, I hope you’ve been able to patch your Fedora install without too much trouble (fixing CM might be more complicated unless a patch will be accessible soon)
On normal web-servers this bug is quite serious because an external attacker gets the possibility to execute programs that run under the bash shell (e.g. an old CGI script for example). On Android phones very few programs will get input from “outside” and pass that to a shell because there is really no need for it (the Android interfaces are quite decent and the shell on Android is really limited). The attack surface is “non existent”. Also we do not run bash so this specific bug does not affect us. Still the Android command line tools have not received the same “love” as bash in terms of security/research so it probably is safe to assume they have a different set of problems !