Heads up: possible BASH security vulnerability

Patrick O'Callaghan pocallaghan at gmail.com
Wed Sep 24 22:56:34 UTC 2014


http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

>From the article:

The vulnerability affects versions 1.14 through 4.3 of GNU Bash. [...]
To check your system, from a command line, type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

        vulnerable
         this is a test
        
An unaffected (or patched) system will output:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
         bash: warning: x: ignoring function definition attempt
         bash: error importing function definition for `x'
         this is a test

I tried it and got the positive (vulnerable) result.

Can we assume a patched version of Bash will be released shortly?
        
poc



More information about the users mailing list