Heads up: possible BASH security vulnerability
Dan Thurman
dant at cdkkt.com
Fri Sep 26 01:17:14 UTC 2014
On 09/24/2014 03:56 PM, Patrick O'Callaghan wrote:
> http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
>
> From the article:
>
> The vulnerability affects versions 1.14 through 4.3 of GNU Bash. [...]
> To check your system, from a command line, type:
>
> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>
> If the system is vulnerable, the output will be:
>
> vulnerable
> this is a test
>
> An unaffected (or patched) system will output:
>
> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> bash: warning: x: ignoring function definition attempt
> bash: error importing function definition for `x'
> this is a test
>
> I tried it and got the positive (vulnerable) result.
>
> Can we assume a patched version of Bash will be released shortly?
>
> poc
>
Where can I get the official patches for:
CVE-2014-6271
CVE-2014-7169
and once I get these patches, how can I add the details into the bash
spec file?
Once I get the information, I should be ready to go.
More information about the users
mailing list