Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271

[Steve Litt <slitt@troubleshooters.com>]

On Wed, 24 Sep 2014 16:25:58 -0500
John Hasler <jhasler@newsguy.com> wrote:

[snip]
> Package        : bash
> CVE ID         : CVE-2014-6271
> 
> Stephane Chazelas discovered a vulnerability in bash,

[snip]

> For the stable distribution (wheezy), this problem has been fixed in
> version 4.2+dfsg-0.1+deb7u1.

[snip]

> 
> frequently asked questions can be
> found at: https://www.debian.org/security/

Festive!

The instructions (specifically apt-get update && apt-get upgrade) fixed
my problem, as shown below!


slitt@mydesq2:~$ env x='() { :;}; echo vulnerable'  bash -c "echo this is a test" 

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
slitt@mydesq2:~$

Thank you! I was worried about that.

SteveT

Steve Litt                *  http://www.troubleshooters.com/
Troubleshooting Training  *  Human Performance