Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

To: debian-user@lists.debian.org
Subject: Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
From: The Wanderer <wanderer@fastmail.fm>
Date: Thu, 25 Sep 2014 11:16:40 -0400
Message-id: <[🔎] 542431D8.4050009@fastmail.fm>
In-reply-to: <[🔎] 20140924165250.2351e397@mydesq2.domain.cxm>
References: <[🔎] 20140924165250.2351e397@mydesq2.domain.cxm>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 09/24/2014 at 04:52 PM, Steve Litt wrote:

> Hi everyone,
> 
> Bash Code Injection Vulnerability via Specially Crafted
> Environment Variables (CVE-2014-6271)
> 
> https://access.redhat.com/articles/1200223
> 
> My current Debian setup is vulnerable, as shown below:
> 
> ============================================== slitt@mydesq2:~$ env
> x='() { :;}; \ echo vulnerable'  bash -c "echo this is a test" 
> vulnerable this is a test

> slitt@mydesq2:~$ bash --version GNU bash, version 4.2.37(1)-release
> (x86_64-pc-linux-gnu)

> ==============================================
> 
> Does anyone know if there's an fix for Debian's bash, and how to 
> install it?

As already noted, there's been a debian-security-announce alert about
this, for a fix in wheezy.

For testing, I don't know how comprehensive it is, but I ran a variant
of that same test on my system (with bash 4.3.9) and got a successful
pass - no vulnerability indicated.

Online reports have indicated that bash 4.3.x is affected, and I haven't
updated bash since before these reports hit, so I don't know what the
true shape of the picture is. The data point seemed potentially worth
mentioning, however.

A quick test also indicates that, as mostly expected, dash (the Debian
Almquist shell, which provides /bin/sh by default in current Debian) is
apparently not affected.

- -- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man.         -- George Bernard Shaw
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUJDHXAAoJEASpNY00KDJrUe4P/R1Ig/NIu8bCLK1VShZw1EFO
/uEOdF493V59keDZ3pFtnkXYsKhDQN8wEAqiVOEn19b90Q/qBGztiXXhPONSceeT
2+mYoyx7GuMkVHnTFFU8l5IPJK3sHPyQI03QTx93m6QRA0+t5ebY5e2BSIXTwM0g
DZl6kZDMoonDbrbl92H6N0BjkJ9AS69W2Gx4hG/+cn7C0tK7JRAjlBvv53yACqTv
hI5ZGtDcJbPGXl7RkXRxxFfry5lF4lbcRZ0pqocYqVuR/caZdrLeEKS66+dnWozh
zcf+dEIXoJA1oVtCg0b2qnO+G8i2q6sFq5CF73P7UOg5qLYDwIzG8eUXMm6pe1fg
oaLyJoDx1SojOmmLwGpCiRayM/bUPDmctigp0RKiF6iwIg5aIMHnVNdKGUvSVxFt
Fa+znubtTAxXXeyQa64pCBwbTIefr2LxRh+EipA9tNF4PTudoKRiDemjFLZB4xoV
sOLF78PZzXPso1ZKAlPFOWAPgFA14NKkIzSPESNmtqWFdUAhMeU1Sr/Z8opWDMTV
0ys8w3lOstfTGlFCQKdwqQ5lTeBvEjlsY2ZfpmmufrXfgIF26XI+hvLZ9IlSZOhr
IjQl365u/GnxxbchxrtjlcsQNjmwpH+8i88Sagd0syd2GehcJF0/XYlT9akfCRwS
TKYP3Nkp/zZhdA54LnXc
=fq05
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
  - From: The Wanderer <wanderer@fastmail.fm>

References:
- Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
  - From: Steve Litt <slitt@troubleshooters.com>

Prev by Date: Re: Let's have a vote!
Next by Date: Re: Re: Has the Bash vulnerability been fixed on Jessie yet?
Previous by thread: Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Next by thread: Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Index(es):
- Date
- Thread