Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

To: debian-user@lists.debian.org
Subject: Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
From: Håkon Alstadheim <hakon@alstadheim.priv.no>
Date: Thu, 25 Sep 2014 09:18:28 +0200
Message-id: <[🔎] 5423C1C4.1090301@alstadheim.priv.no>
In-reply-to: <[🔎] 20140924165250.2351e397@mydesq2.domain.cxm>
References: <[🔎] 20140924165250.2351e397@mydesq2.domain.cxm>

According to<https://secure.dshield.org/forums/diary/Attention+NIX+admins+time+to+patch/18703>:Red Hat has become aware that the patch for CVE-2014-6271 is incomplete.An attacker can provide specially-crafted environment variablescontaining arbitrary commands that will be executed on vulnerablesystems under certain conditions. The new issue has been assignedCVE-2014-7169.

https://access.redhat.com/articles/1200223

According to the article at redhat, only bash is vulnerable, so (if youdo not have homegrown bashisms in shells with #!/bin/sh as first line)you should check that ls -l /bin/sh gives "/bin/sh -> dash", and dodpkg-reconfigure dash if it does not.

Reply to:

Follow-Ups:
- Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
  - From: Gokan Atmaca <linux.gokan@gmail.com>

References:
- Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
  - From: Steve Litt <slitt@troubleshooters.com>

Prev by Date: Can't We Have Another Vote for Systemd
Next by Date: Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271
Previous by thread: Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Next by thread: Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Index(es):
- Date
- Thread