Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 09/25/2014 at 11:16 AM, The Wanderer wrote:
> On 09/24/2014 at 04:52 PM, Steve Litt wrote:
>
>> Hi everyone,
>
>> Bash Code Injection Vulnerability via Specially Crafted
>> Environment Variables (CVE-2014-6271)
>
>> https://access.redhat.com/articles/1200223
>> Does anyone know if there's an fix for Debian's bash, and how to
>> install it?
>
> As already noted, there's been a debian-security-announce alert
> about this, for a fix in wheezy.
>
> For testing, I don't know how comprehensive it is, but I ran a
> variant of that same test on my system (with bash 4.3.9) and got a
> successful pass - no vulnerability indicated.
For the record: this was a false negative. I somehow failed to notice
that the "variant" in question invoked /bin/sh instead of bash...
> A quick test also indicates that, as mostly expected, dash (the
> Debian Almquist shell, which provides /bin/sh by default in
> current Debian) is apparently not affected.
...which, because of this, of course did not indicate vulnerability.
The same test with bash instead of /bin/sh shows 4.3-9 as vulnerable, as
expected.
- --
The Wanderer
The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUJVg0AAoJEASpNY00KDJrrmEP/inEcELZMzELPmv9qARZC3Al
25SNW2TrCGvlCs0ixrFkCB33qz6Tgx2LBwjVtt+cyY5fAOG0mPM5EVf7MmBxQjT7
URhEiGpB1j/tcX94rMii8rN8vuzKq7rO67MwuprKMuOtgTCiknMC8nuOGxF+FexB
HMMdY0skF2oqLeQn4ynwsBLnTlf5lCsjtSQCAiZy3HRue4t5KtJIpFJBnwSXmXIs
Pxnr3ZTWuaYIYnGa2DTRMgaKVmxIpkoosaYHg5nCyhKL743d7yGvsiTZzOF2VzEI
y+sSRJIMI7FihRAzS5qpqvVSYJxLHWPhyas5miJ7PgU+YS+EveF+cuSsMubm05Mh
jQbVEO57K1eoEFTib7o0byVtuYKlKddhp3IORRAS+OXNaImHwxr3CK1SNNwFCjRP
1InfzAoTAiBjZHh9im4Hhc3U8FOeEU9e2x06zc/UCpIAHtuLxquz2hx1bED1qmC+
4AnMqsc4EZzmEQBgFZFUM9xdPYoc0IYG0T8xdUCBHLaC9DTgAKna86GQjKrxH32W
Z+UqSNK0MzTKyFLj8Ktsf8SubJ4+hj6619EgASaKRLZReJxsgERWs3Ep6tBNdX/l
Ose6CyX6CCnx1NMonB/RUQk7o+c8nRayCc0FzFqgUkruBJTyIpDPrpLd2Lqbaggi
Zq8B4qUwM0g65y15OX0h
=0aJi
-----END PGP SIGNATURE-----
Reply to: