From owner-freebsd-questions@FreeBSD.ORG  Fri Sep 26 14:59:56 2014
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 0CCC7E14
 for <freebsd-questions@freebsd.org>; Fri, 26 Sep 2014 14:59:56 +0000 (UTC)
Received: from blue.qeng-ho.org (blue.qeng-ho.org [217.155.128.241])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A6DD8808
 for <freebsd-questions@freebsd.org>; Fri, 26 Sep 2014 14:59:55 +0000 (UTC)
Received: from arthur.home.qeng-ho.org (arthur.home.qeng-ho.org [172.23.1.2])
 by fileserver.home.qeng-ho.org (8.14.7/8.14.5) with ESMTP id
 s8QExeRE052550; Fri, 26 Sep 2014 15:59:41 +0100 (BST)
 (envelope-from freebsd@qeng-ho.org)
Message-ID: <54257F5C.7050400@qeng-ho.org>
Date: Fri, 26 Sep 2014 15:59:40 +0100
From: Arthur Chance <freebsd@qeng-ho.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:31.0) Gecko/20100101 Thunderbird/31.1.0
MIME-Version: 1.0
To: freebsd@fongaboo.com
Subject: Re: No BASH shellshock thread yet?
References: <alpine.BSF.2.00.1409260845440.8732@helix.wtfayla.net>
 <CA+g+Bvjskc2N8MbFrPj-u11hGqoMBm-DJWbAS0t4AbeY9t445A@mail.gmail.com>
In-Reply-To: <CA+g+Bvjskc2N8MbFrPj-u11hGqoMBm-DJWbAS0t4AbeY9t445A@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Sep 2014 14:59:56 -0000

On 26/09/2014 13:59, Olivier Nicole wrote:
> What's the problem? Update your port and you're OK.
>
> Olivier
>
> On Fri, Sep 26, 2014 at 7:50 PM,  <freebsd@fongaboo.com> wrote:
>>
>> Perhaps I'll start one...
>>
>> http://twisteddaemon.com/post/98320577491/bash-code-injection-vulnerability-via-specially-crafted
>>
>>
>> http://youtu.be/ArEOVHQu9nk

Or don't install bash in the first place. :-)

I've had a quick scan of the ports tree (my copy was last updated a week 
ago). There are 139 ports that have bash as a runtime dependency when 
using default options. If you want to do the same thing with your own 
make.conf the code I used was as follows. It's not elegant or blindingly 
fast but works. Just hope Thunderbird doesn't mangle it too much


find /usr/ports -depth 3 -name Makefile \
   -execdir sh -c "echo -n '@ ' ; pwd ; make run-depends-list" \; |\
  awk '/^@/ {save=$2;}; /^\/usr\/ports\/shells\/bash/ {print save;}' |\
  sed -e 's:/usr/ports/::' |\
  sort

And to save most people doing it, here are the 139 ports that need bash 
at runtime

archivers/makeself
archivers/xarchive
audio/abcde
biology/gff2ps
biology/ugene
cad/opencascade
databases/autobackupmysql
databases/datamodeler
databases/dbtool
databases/grass
databases/hbase
databases/percona-toolkit
databases/puppetdb
databases/sqldeveloper
deskutils/cairo-dock
deskutils/todo
devel/anjuta
devel/build
devel/chruby
devel/colormake
devel/compiz-bcop
devel/gtgt
devel/hadoop
devel/hadoop2
devel/lcov
devel/leiningen
devel/liblouisxml
devel/p5-Test-YAML
devel/quilt
devel/rbenv
devel/ros
devel/urjtag
devel/zookeeper
emulators/pipelight
emulators/vboxtool
emulators/wine-doors
french/eficas
games/gbrainy
games/legends
games/minecraft-client
games/torcs
games/trackballs
graphics/epix
graphics/gmt
graphics/gscan2pdf
graphics/pfstools
graphics/vips
graphics/xpaint
irc/nefarious
japanese/VTPSfont
java/icedtea-web
lang/harbour
lang/jruby
lang/jython
lang/kroc
lang/mlton
lang/scala
mail/biabam
mail/mailscanner
math/aspcud
math/geogebra-i18n
math/isabelle
math/maxima
math/plplot
math/sage
multimedia/2mandvd
multimedia/banshee
multimedia/dvd-slideshow
multimedia/iso2mkv
multimedia/mkxvcd
multimedia/vdr-plugin-streamdev
net-mgmt/icinga2
net-mgmt/nagios-check_tftp
net-mgmt/victorops-nagios
net-p2p/verlihub
net/dropbox-uploader
net/grsync
net/kamailio
net/mpich2
net/py-ec2-cli-tools
news/sn
ports-mgmt/portless
print/apsfilter
print/font2svg
print/lpr-wrapper
science/minc2
science/ncs
science/paraview
security/bro
security/logcheck
security/massh
security/monkeysphere
security/mussh
security/p5-openxpki
security/scamp
security/unssh
shells/ambit
shells/bash-completion
shells/viewglob
sysutils/apt
sysutils/autojump
sysutils/bashburn
sysutils/byobu
sysutils/confman
sysutils/duply
sysutils/getdelta
sysutils/gsmartcontrol
sysutils/hal
sysutils/linux-crashplan
sysutils/munin-node
sysutils/mybashburn
sysutils/pacman
sysutils/password-store
sysutils/screenfetch
sysutils/sshsudo
sysutils/tartarus
sysutils/vimpager
sysutils/wemux
sysutils/wiimms
textproc/apertium
textproc/dbacl
textproc/google-translate-cli
textproc/idnits
textproc/irstlm
textproc/rarian
textproc/rfcdiff
textproc/tex2im
textproc/translate-toolkit
textproc/xmlto
textproc/yodl
www/nanoblogger
www/vertx
www/wgetpaste
x11-fm/worker
x11-themes/murrine-configurator
x11-wm/fvwm-crystal
x11-wm/genmenu
x11-wm/herbstluftwm
x11-wm/hs-xmonad-contrib