Nios® II Embedded Design Suite (EDS)
Support for Embedded Development Tools, Processors (SoCs and Nios® II processor), Embedded Development Suites (EDSs), Boot and Configuration, Operating Systems, C and C++
Announcements
Intel Support hours are Monday-Fridays, 8am-5pm PST, except Holidays. Thanks to our community members who provide support during our down time or before we get to your questions. We appreciate you!

Need Forum Guidance? Click here
Search our FPGA Knowledge Articles here.
12435 Discussions

How to patch vulnerability of bash in Altera Cygwin (Shellshock bug)

Altera_Forum
Honored Contributor II
1,302 Views

cygwin (https://cygwin.com/ml/cygwin-announce/2014-10/msg00004.html) is included in several Altera tooling. It is a Unix-like environment within Windows. Therefore I post this question in "Other Operating Systems". 

The bash shell that comes with Altera tooling such as Quartus and EDS is vulnerable for the shellshock (http://en.wikipedia.org/wiki/shellshock_%28software_bug%29) bug. 

We are using several older and newer Altera versions: 9.1, 11.0sp1, 12.1sp1, 13.1 and 14.0. The bash shells that come with this tooling are all vulnerable. 

Does anyone know how to patch them? Can I replace an older bash with the newest one with backwards compatibility? Will the older toolchains still work? 

 

To test if bash is vulnerable start the "Nios II Command Shell.bat" or "Embedded_Command_Shell.bat" and run the following command within it: 

env 'x=() { echo vulnerable; }' bash -c x 

If it prints "x: command not found", your version of bash is safe and not subject to remote exploits. If it prints "vulnerable", you need to upgrade. 

 

We have the following versions: 

C:\altera\91\nios2eds\Nios II Command Shell.bat 

C:\altera\11.0sp1\nios2eds\Nios II Command Shell.bat 

C:\altera\12.1sp1\nios2eds\Nios II Command Shell.bat 

C:\altera\13.1\nios2eds\Nios II Command Shell.bat 

C:\altera\14.0\embedded\Embedded_Command_Shell.bat 

C:\altera\14.0\nios2eds\Nios II Command Shell.bat
0 Kudos
6 Replies
Altera_Forum
Honored Contributor II
149 Views

Firstly, that is the wrong test for the vulnerability, better is: 

x='() { fubar; }; echo barfu' sh -c "" 

Which should not output 'barfu'. 

But I wouldn't worry about it on your development system, most things that can set environment variables can just execute the relevant command instead.
Altera_Forum
Honored Contributor II
149 Views

 

--- Quote Start ---  

But I wouldn't worry about it on your development system, most things that can set environment variables can just execute the relevant command instead. 

--- Quote End ---  

 

 

Besides development systems we have also installed these Altera tools (with Cygwin) on build servers. Should we patch them? If so, how should we do that without breaking backwards compatibility?
Altera_Forum
Honored Contributor II
149 Views

Just ensure that whatever executes the Altera tools doesn't have anything 'nasty' in it's 'environment variables'. 

I'd guess the 'environment variables' come straight from the windows ones. 

Unless these are set based on information from an untusted remote system (which I doubt) it just doesn't matter.
Altera_Forum
Honored Contributor II
149 Views

Altera is aware of this and will be addressing it. I can't commit to a date but it's on our radar.

Altera_Forum
Honored Contributor II
149 Views

Altera 14.1 solves this vulnerability. http://www.altera.com/literature/rn/cv_hps_rn.pdf

Altera_Forum
Honored Contributor II
149 Views

The shellshock bug is fixed in Altera v14.1 SoC EDS, see Cyclone V SoC HPS Release Notes http://www.altera.com/literature/rn/cv_hps_rn.pdf

Reply