Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

[Iain M Conochie <iain@thargoid.co.uk>]

On 24/09/14 21:52, Steve Litt wrote:
> Hi everyone,
>
> Bash Code Injection Vulnerability via Specially Crafted Environment
> Variables (CVE-2014-6271)
>
> https://access.redhat.com/articles/1200223
>
> My current Debian setup is vulnerable, as shown below:
>
> ==============================================
> slitt@mydesq2:~$ env x='() { :;}; \
> echo vulnerable'  bash -c "echo this is a test"
> vulnerable
> this is a test
> slitt@mydesq2:~$ uname -a
> Linux mydesq2 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64
> GNU/Linux slitt@mydesq2:~$ cat /etc/issue
> Debian GNU/Linux 7 \n \l
env x='() { :;}; \
> echo vulnerable'  bash -c "echo this is a test"
bash: line 1: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
21:58:57 shihad:$ uname -a
Linux shihad 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64 GNU/Linux
21:59:09 shihad:$ cat /etc/issue
Debian GNU/Linux 7 \n \l
bash --version
GNU bash, version 4.3.24(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
<http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Did you try apt-get update && apt-get upgrade yet? That should fix you 
right up
as long as your mirror is up to date

Cheers

Iain