[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bash-4.3 Official Patch 25 Bug 896776 - (CVE-2014-6271)

From: Eric Blake
Subject: Re: Bash-4.3 Official Patch 25 Bug 896776 - (CVE-2014-6271)
Date: Thu, 25 Sep 2014 14:52:57 -0600
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0

On 09/25/2014 09:33 AM, address@hidden wrote:
> Hello,
> I've downloaded the source for bash 4.3 and all patches, patched the source 
> to Patch 25. 
> But according some description I've found (http://heise.de/-2403305 sorry, 
> only in German
> available), you can test with the command
> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Are you sure you are testing your just-built bash, and not whatever
version of bash happened to be first in your $PATH?

> if your bash is vulnerable. But according this test the bash 4.3 with patch 
> 25 seems
> still vulnerable. I've tried this test with other Linux servers, where the 
> patched 
> bash binaries came from the repositories (Ubuntu, CentOS), where this test 
> now fails.
> So my question: is bash in this version with patch 25 still vulnerable to 
> CVE-2014-6271?

No.  Patch 25 is what solves CVE-2014-6271 (but you will still need to
wait for Patch 26 before having a solution to the weaker CVE-2014-7169).

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]