bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2014-7187


From: Greg Wooledge
Subject: Re: CVE-2014-7187
Date: Fri, 10 Oct 2014 10:07:19 -0400
User-agent: Mutt/1.4.2.3i

On Fri, Oct 10, 2014 at 02:00:41PM +0000, Nabia??ek, Wojciech wrote:
> Difference is in version number, mine is 4.3.30(3), your 4.3.30(2)

The number in parentheses is simply how many times Bash has been compiled
in the current source tree.  If you apply a new patch and run "make"
again, the number goes up.  It's not actually a different version.

> address@hidden wojtek]# (for x in {1..200} ; do echo "for x$x in ; do :"; 
> done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 
> vulnerable, word_lineno"
> bash: line 2: `x{1..200}': not a valid identifier
> CVE-2014-7187 vulnerable, word_lineno

Your interactive shell is not Bash (or it's a very OLD Bash), so the
{1..200} was not expanded.  That's why this test failed.

Run it again from within Bash.

And for god's sake, don't do vulnerability testing as root.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]