[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bash 2.05b patch for 896776 - (CVE-2014-6271) ?
From: |
Steve Simmons |
Subject: |
Re: Bash 2.05b patch for 896776 - (CVE-2014-6271) ? |
Date: |
Fri, 26 Sep 2014 12:55:43 -0400 |
These patches build and run without problem in our initial bash2 tests.
However, I notice that both the version number reported by ./bash --version and
doing ./bash followed by echo $BASH_VERSION both report "2.05b.0(1)-release".
All versions that I've tested of bash3 and bash4 report their patchlevel in the
third field. If I manually update patchlevel.h to change from 0 to 9, the
version is reported as '2.05b.((1)-release'. Bug?
Steve
On Sep 26, 2014, at 10:47 AM, Chet Ramey <chet.ramey@case.edu> wrote:
> On 9/26/14, 4:53 AM, Jean-Christian de Rivaz wrote:
>> Hello,
>>
>> While this can seem completely obsolete, I still have machines running bash
>> 2.05b (Debian etch). I worry about upgrading to bash 3.x because of some
>> backward compatibility issue.
>> It there any reason why there was no patch for bash 2.05b ? The test
>> command below show that the bug also affect this version:
>>
>> j$ bash --version
>> GNU bash, version 2.05b.0(1)-release (i386-pc-linux-gnu)
>> Copyright (C) 2002 Free Software Foundation, Inc.
>> j$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>> vulnerable
>> this is a test
>
> Here's one. Two, actually, one for each CVE.
>
> --
> ``The lyf so short, the craft so long to lerne.'' - Chaucer
> ``Ars longa, vita brevis'' - Hippocrates
> Chet Ramey, ITS, CWRU chet@case.edu http://cnswww.cns.cwru.edu/~chet/
> <bash205b-008.txt><bash205b-009.txt>