[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE-2014-7187
From: |
Greg Wooledge |
Subject: |
Re: CVE-2014-7187 |
Date: |
Fri, 10 Oct 2014 10:07:19 -0400 |
User-agent: |
Mutt/1.4.2.3i |
On Fri, Oct 10, 2014 at 02:00:41PM +0000, Nabia??ek, Wojciech wrote:
> Difference is in version number, mine is 4.3.30(3), your 4.3.30(2)
The number in parentheses is simply how many times Bash has been compiled
in the current source tree. If you apply a new patch and run "make"
again, the number goes up. It's not actually a different version.
> [root@e-mail wojtek]# (for x in {1..200} ; do echo "for x$x in ; do :"; done;
> for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187
> vulnerable, word_lineno"
> bash: line 2: `x{1..200}': not a valid identifier
> CVE-2014-7187 vulnerable, word_lineno
Your interactive shell is not Bash (or it's a very OLD Bash), so the
{1..200} was not expanded. That's why this test failed.
Run it again from within Bash.
And for god's sake, don't do vulnerability testing as root.