[Fedora] Heads up: possible BASH security vulnerability
Ian Malone
ibmalone at gmail.com
Thu Sep 25 09:58:47 UTC 2014
> On Wed, 24 Sep 2014, Patrick O'Callaghan wrote:
>
>>
>> http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
>>
>> From the article:
>>
>> The vulnerability affects versions 1.14 through 4.3 of GNU Bash. [...]
>> To check your system, from a command line, type:
>>
>> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>>
>> If the system is vulnerable, the output will be:
>>
>> vulnerable
>> this is a test
>>
>> An unaffected (or patched) system will output:
>>
>> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>> bash: warning: x: ignoring function definition attempt
>> bash: error importing function definition for `x'
>> this is a test
>>
>> I tried it and got the positive (vulnerable) result.
>>
>> Can we assume a patched version of Bash will be released shortly?
>>
>> poc
On 25 September 2014 08:55, Walter Cazzola <cazzola at di.unimi.it> wrote:
> Dear Experts,
> I was wondering if it could be a good workaround to link /bin/sh to tcsh
> instead of bash. I'm not using bash at all but probably something in the
> system is so do you know some contraindication on a system with apache
> and SVN servers?
>
I'd have thought tcsh and bash semantics were sufficiently different
this would break things (with the exception of cases where the shell
is simply being used to launch a command). Dash (as in Debian and
Ubuntu) might be a better replacement, though /bin/sh scripts that
relied on bash features would still break. You would still not have
any protection for CGI scripts that specify bash as the interpreter.
Disabling CGI if you don't need it would probably be the best
protection, not familiar enough with mod_dav_svn to say for sure
though.
--
imalone
http://ibmalone.blogspot.co.uk
More information about the users
mailing list