Pogoplug B01 - Shellshock Bash Bug - fixable?

This forum is for all other ARMv5 devices

Pogoplug B01 - Shellshock Bash Bug - fixable?

Postby greenman » Thu Sep 25, 2014 3:18 pm

I tried pacman to upgrade, but got lots of errors.
Is there a bash upgrade for this, or do I need to just put down my PogoPlug B01?


$this->bbcode_second_pass_code('', '[root@alarm] $ pacman -Syu
:: Synchronizing package databases...
core is up to date
extra is up to date
community is up to date
aur is up to date
:: The following packages should be upgraded first :
pacman
:: Do you want to cancel the current operation
:: and upgrade these packages now? [Y/n] Y

resolving dependencies...
looking for inter-conflicts...

Targets (8): bash-4.3.024-2 filesystem-2014.07-1 glibc-2.18-12.1 libarchive-3.1.2-8 linux-api-headers-3.16.2-1 lzo-2.08-3 readline-6.3.006-1
pacman-4.1.2-6.1

Total Installed Size: 46.58 MiB
Net Upgrade Size: -1.31 MiB

Proceed with installation? [Y/n] y
(8/8) checking package integrity [######################################################] 100%
error: linux-api-headers: key "77193F152BDBE6A6" is unknown
error: key "77193F152BDBE6A6" could not be looked up remotely
error: filesystem: key "77193F152BDBE6A6" is unknown
error: key "77193F152BDBE6A6" could not be looked up remotely
error: glibc: key "77193F152BDBE6A6" is unknown
error: key "77193F152BDBE6A6" could not be looked up remotely
error: readline: key "77193F152BDBE6A6" is unknown
error: key "77193F152BDBE6A6" could not be looked up remotely
error: bash: key "77193F152BDBE6A6" is unknown
error: key "77193F152BDBE6A6" could not be looked up remotely
error: lzo: key "77193F152BDBE6A6" is unknown
error: key "77193F152BDBE6A6" could not be looked up remotely
error: libarchive: key "77193F152BDBE6A6" is unknown
error: key "77193F152BDBE6A6" could not be looked up remotely
error: pacman: key "77193F152BDBE6A6" is unknown
error: key "77193F152BDBE6A6" could not be looked up remotely
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.
[root@alarm] $ pacman-key --init
gpg: Generating pacman keychain master key...
^C
gpg: signal Interrupt caught ... exiting
')I went to eat breakfast - about half an hour during the master key init and then hit Control-C to stop, assuming it shouldn't take that long to generate a key.
POGO-B01
greenman
 
Posts: 24
Joined: Tue Apr 17, 2012 8:03 pm

Re: Pogoplug B01 - Shellshock Bash Bug - fixable?

Postby karog » Thu Sep 25, 2014 8:01 pm

That bash-4.3.024-2 is dated Sep 24, 2014 so one would think it addresses the exploit.

However, when I upgraded to that bash on my pogo E02, I could no longer authenticate for ssh with either public key (my usual way) nor password. When I downgraded bash back to the prior version, both forms of auth worked again. Note that my E02 was never upgraded to systemd as I keep it more or less in sync with my V3 pogos which no longer get updated unless necessary.
karog
 
Posts: 300
Joined: Thu Jan 05, 2012 7:55 pm

Re: Pogoplug B01 - Shellshock Bash Bug - fixable?

Postby greenman » Fri Sep 26, 2014 3:34 am

karog,

Thank you for replying.

Unfortunately, I didn't fully understand your reply. EO1 is not Oxnas, so our situations may be different.

As my code section shows, I cannot properly make pacman update anything. A current bash file may be available for upgrade, but pacman won't recognize the package integrity, and I am unable to generate a proper pgp key.

My B01 cannot be upgraded in its current state, and I don't know how to fix that.

Are you suggesting that I downgrade to a previous version of archlinux in order to regain update capability, and if so, would you suggest a command line recipe?
POGO-B01
greenman
 
Posts: 24
Joined: Tue Apr 17, 2012 8:03 pm

Re: Pogoplug B01 - Shellshock Bash Bug - fixable?

Postby karog » Fri Sep 26, 2014 3:49 am

greenman, I know that the E02 is not oxnas but as I pointed out, I keep it back with my V3 pogos which are oxnas. I stopped doing system updates on any of my pogos when the move to systemd could not be done on the oxnas V3 pogos.

So you probably should not try to do "pacman -Syu" which will try to update to the latest which is not compatible with oxnas. And generally, I have observed that when a system upgrade says "pacman" should be upgraded first, it is better to answer no rather than yes to it even though yes is the default.

You can try "pacman -Sy bash" to just upgrade bash and its dependencies which may also upgrade readline. My message was simply to point out that when I upgraded bash, it caused the ssh auth problem and downgrading bash to what it was before fixed the problem. The upgraded readline did not cause the problem as I left it upgraded.
karog
 
Posts: 300
Joined: Thu Jan 05, 2012 7:55 pm

Re: Pogoplug B01 - Shellshock Bash Bug - fixable?

Postby greenman » Fri Sep 26, 2014 4:03 am

karog,

Thank you again. I appreciate the clarification. I tried as you suggested, but still had key integrity issues, so I couldn't even upgrade just bash and readline.

So, you''ve left bash un-upgraded, unsecured because there really are no other options for these devices.

Doesn't that mean we should decommission our pogoplugs? I mean, I know it's behind my router's firewall, but is it worth the risk?
POGO-B01
greenman
 
Posts: 24
Joined: Tue Apr 17, 2012 8:03 pm

Re: Pogoplug B01 - Shellshock Bash Bug - fixable?

Postby karog » Fri Sep 26, 2014 4:13 am

greenman, it depends on what kind of exposure to the outside world your pogos have. Mine are not accessible outside my LAN so I am not really worried. My first response on this thread was to point out the ssh auth problem. If others have the same problem then it might get fixed. If not, I may look into it more later.
karog
 
Posts: 300
Joined: Thu Jan 05, 2012 7:55 pm

Re: Pogoplug B01 - Shellshock Bash Bug - fixable?

Postby moonman » Fri Sep 26, 2014 4:39 am

You guys should really try the new kernels @doozan + any armv5 rootfs.
Pogoplug V4 | GoFlex Home | Raspberry Pi 4 4GB | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3387
Joined: Sat Jan 15, 2011 3:36 am

Re: Pogoplug B01 - Shellshock Bash Bug - fixable?

Postby greenman » Fri Sep 26, 2014 12:21 pm

Moonman - thanks for your reply.

I found a recipe here:
http://projects.doozan.com/uboot/
and used this version version of Uboot:
https://github.com/doozan/uBoot

$this->bbcode_second_pass_code('', '## Unknown uBoot detected on mtd0: 188602682dada4308e3d9945c3f6b6ed
##
## The installer could not detect the version of your current uBoot
## This may happen if you have installed a different uBoot on
## /dev/mtd0 or if you have bad blocks on /dev/mtd0
##
## If you have bad blocks on mtd0, you should not try to install uBoot.
##
## Installation cancelled.
')

Removing all the USB devices also removes the boot flash usb stick, and that doesn't work so I left the boot stick in. I just removed the hard drive.

I'm very likely missing a step. Is there a link to a forum page or elsewhere that has a method for going from this Archlinux kernel to another via Jeff Doozan's UBoot?
POGO-B01
greenman
 
Posts: 24
Joined: Tue Apr 17, 2012 8:03 pm

Re: Pogoplug B01 - Shellshock Bash Bug - fixable?

Postby WarheadsSE » Fri Sep 26, 2014 2:03 pm

$this->bbcode_second_pass_quote('moonman', 'Y')ou guys should really try the new kernels @doozan + any armv5 rootfs.

I really need to spend some time on that kernel, when I have the time.
Core Developer
Remember: Arch Linux ARM is entirely community donation supported!
WarheadsSE
Developer
 
Posts: 6807
Joined: Mon Oct 18, 2010 2:12 pm

Re: Pogoplug B01 - Shellshock Bash Bug - fixable?

Postby bodhi » Fri Sep 26, 2014 8:22 pm

@greenman,
$this->bbcode_second_pass_quote('', 'I') found a recipe here:
http://projects.doozan.com/uboot/
and used this version version of Uboot:
https://github.com/doozan/uBoot

These are instruction to install Kirkwood u-boot (e.g. Pogo V2), not Pogo V3 which is OXNAS.

Look for my posts @doozan for 2013.10 U-Boot for Pogoplug V3 (OXNAS). Also look for Linux Kernel 3.16.0 Pogo V3 (Oxnas OX820) package and rootfs, where the config and patch were made available so you can build Arch kernel with it.

Yup. It would be best if WarheadsSE can find time to build Arch kernel for OXNAS again. I'm sure we can all profit from that.
bodhi
 
Posts: 225
Joined: Sat Aug 13, 2011 10:06 am

Next

Return to Community Supported

Who is online

Users browsing this forum: No registered users and 4 guests