Results 1 to 7 of 7

Thread: How to patch vulnerability of bash in Altera Cygwin (Shellshock bug)

  1. #1
    Join Date
    Aug 2014
    Posts
    4
    Rep Power
    1

    Default How to patch vulnerability of bash in Altera Cygwin (Shellshock bug)

    Cygwin is included in several Altera tooling. It is a Unix-like environment within Windows. Therefore I post this question in "Other Operating Systems".
    The bash shell that comes with Altera tooling such as Quartus and EDS is vulnerable for the ShellShock bug.
    We are using several older and newer Altera versions: 9.1, 11.0sp1, 12.1sp1, 13.1 and 14.0. The bash shells that come with this tooling are all vulnerable.
    Does anyone know how to patch them? Can I replace an older bash with the newest one with backwards compatibility? Will the older toolchains still work?

    To test if bash is vulnerable start the "Nios II Command Shell.bat" or "Embedded_Command_Shell.bat" and run the following command within it:
    env 'x=() { echo vulnerable; }' bash -c x
    If it prints "x: command not found", your version of bash is safe and not subject to remote exploits. If it prints "vulnerable", you need to upgrade.

    We have the following versions:
    C:\altera\91\nios2eds\Nios II Command Shell.bat
    C:\altera\11.0sp1\nios2eds\Nios II Command Shell.bat
    C:\altera\12.1sp1\nios2eds\Nios II Command Shell.bat
    C:\altera\13.1\nios2eds\Nios II Command Shell.bat
    C:\altera\14.0\embedded\Embedded_Command_Shell.bat
    C:\altera\14.0\nios2eds\Nios II Command Shell.bat

  2. #2
    Join Date
    Nov 2009
    Location
    uk
    Posts
    1,736
    Rep Power
    1

    Default Re: How to patch vulnerability of bash in Altera Cygwin (Shellshock bug)

    Firstly, that is the wrong test for the vulnerability, better is:
    Code:
    x='() { fubar; }; echo barfu' sh -c ""
    Which should not output 'barfu'.
    But I wouldn't worry about it on your development system, most things that can set environment variables can just execute the relevant command instead.

  3. #3
    Join Date
    Aug 2014
    Posts
    4
    Rep Power
    1

    Default Re: How to patch vulnerability of bash in Altera Cygwin (Shellshock bug)

    Quote Originally Posted by dsl View Post
    But I wouldn't worry about it on your development system, most things that can set environment variables can just execute the relevant command instead.
    Besides development systems we have also installed these Altera tools (with Cygwin) on build servers. Should we patch them? If so, how should we do that without breaking backwards compatibility?

  4. #4
    Join Date
    Nov 2009
    Location
    uk
    Posts
    1,736
    Rep Power
    1

    Default Re: How to patch vulnerability of bash in Altera Cygwin (Shellshock bug)

    Just ensure that whatever executes the Altera tools doesn't have anything 'nasty' in it's 'environment variables'.
    I'd guess the 'environment variables' come straight from the windows ones.
    Unless these are set based on information from an untusted remote system (which I doubt) it just doesn't matter.

  5. #5
    Join Date
    Aug 2004
    Location
    Texas Y'all
    Posts
    2,352
    Rep Power
    1

    Default Re: How to patch vulnerability of bash in Altera Cygwin (Shellshock bug)

    Altera is aware of this and will be addressing it. I can't commit to a date but it's on our radar.

  6. #6
    Join Date
    Aug 2014
    Posts
    4
    Rep Power
    1

    Default Re: How to patch vulnerability of bash in Altera Cygwin (Shellshock bug)

    Altera 14.1 solves this vulnerability. http://www.altera.com/literature/rn/cv_hps_rn.pdf

  7. #7
    Join Date
    Aug 2014
    Posts
    4
    Rep Power
    1

    Default Re: How to patch vulnerability of bash in Altera Cygwin (Shellshock bug)

    The shellshock bug is fixed in Altera v14.1 SoC EDS, see Cyclone V SoC HPS Release Notes http://www.altera.com/literature/rn/cv_hps_rn.pdf

Similar Threads

  1. Security vulnerability with MAX CPLD's !!
    By mafra in forum FPGA, Hardcopy, and CPLD Discussion
    Replies: 10
    Last Post: December 2nd, 2011, 12:07 AM
  2. problem to use quartus from Nios II SDK bash shell
    By simone.alpe in forum Linux Forum
    Replies: 4
    Last Post: June 25th, 2010, 05:18 AM
  3. cannot compile bash or net-snmp
    By urna in forum Linux Forum
    Replies: 3
    Last Post: June 23rd, 2009, 01:42 AM
  4. bash problem
    By abg in forum Linux Forum
    Replies: 0
    Last Post: March 2nd, 2007, 06:40 AM
  5. bash
    By clansdown in forum Linux Forum
    Replies: 0
    Last Post: April 14th, 2005, 11:31 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •