Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

To: debian-user@lists.debian.org
Subject: Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
From: The Wanderer <wanderer@fastmail.fm>
Date: Fri, 26 Sep 2014 08:12:36 -0400
Message-id: <[🔎] 54255834.5040906@fastmail.fm>
In-reply-to: <[🔎] 542431D8.4050009@fastmail.fm>
References: <[🔎] 20140924165250.2351e397@mydesq2.domain.cxm> <[🔎] 542431D8.4050009@fastmail.fm>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 09/25/2014 at 11:16 AM, The Wanderer wrote:

> On 09/24/2014 at 04:52 PM, Steve Litt wrote:
> 
>> Hi everyone,
> 
>> Bash Code Injection Vulnerability via Specially Crafted
>> Environment Variables (CVE-2014-6271)
> 
>> https://access.redhat.com/articles/1200223

>> Does anyone know if there's an fix for Debian's bash, and how to 
>> install it?
> 
> As already noted, there's been a debian-security-announce alert 
> about this, for a fix in wheezy.
> 
> For testing, I don't know how comprehensive it is, but I ran a 
> variant of that same test on my system (with bash 4.3.9) and got a 
> successful pass - no vulnerability indicated.

For the record: this was a false negative. I somehow failed to notice
that the "variant" in question invoked /bin/sh instead of bash...

> A quick test also indicates that, as mostly expected, dash (the 
> Debian Almquist shell, which provides /bin/sh by default in
> current Debian) is apparently not affected.

...which, because of this, of course did not indicate vulnerability.

The same test with bash instead of /bin/sh shows 4.3-9 as vulnerable, as
expected.

- -- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man.         -- George Bernard Shaw
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUJVg0AAoJEASpNY00KDJrrmEP/inEcELZMzELPmv9qARZC3Al
25SNW2TrCGvlCs0ixrFkCB33qz6Tgx2LBwjVtt+cyY5fAOG0mPM5EVf7MmBxQjT7
URhEiGpB1j/tcX94rMii8rN8vuzKq7rO67MwuprKMuOtgTCiknMC8nuOGxF+FexB
HMMdY0skF2oqLeQn4ynwsBLnTlf5lCsjtSQCAiZy3HRue4t5KtJIpFJBnwSXmXIs
Pxnr3ZTWuaYIYnGa2DTRMgaKVmxIpkoosaYHg5nCyhKL743d7yGvsiTZzOF2VzEI
y+sSRJIMI7FihRAzS5qpqvVSYJxLHWPhyas5miJ7PgU+YS+EveF+cuSsMubm05Mh
jQbVEO57K1eoEFTib7o0byVtuYKlKddhp3IORRAS+OXNaImHwxr3CK1SNNwFCjRP
1InfzAoTAiBjZHh9im4Hhc3U8FOeEU9e2x06zc/UCpIAHtuLxquz2hx1bED1qmC+
4AnMqsc4EZzmEQBgFZFUM9xdPYoc0IYG0T8xdUCBHLaC9DTgAKna86GQjKrxH32W
Z+UqSNK0MzTKyFLj8Ktsf8SubJ4+hj6619EgASaKRLZReJxsgERWs3Ep6tBNdX/l
Ose6CyX6CCnx1NMonB/RUQk7o+c8nRayCc0FzFqgUkruBJTyIpDPrpLd2Lqbaggi
Zq8B4qUwM0g65y15OX0h
=0aJi
-----END PGP SIGNATURE-----

Reply to:

References:
- Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
  - From: Steve Litt <slitt@troubleshooters.com>
- Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
  - From: The Wanderer <wanderer@fastmail.fm>

Prev by Date: Re: Suggestions? A small webserver for file upload
Next by Date: Re: Suggestions? A small webserver for file upload
Previous by thread: Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Next by thread: Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Index(es):
- Date
- Thread