Re: CVE-2014-7187

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2014-7187

From:	Chet Ramey
Subject:	Re: CVE-2014-7187
Date:	Fri, 10 Oct 2014 10:30:26 -0400
User-agent:	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0

On 10/10/14, 10:00 AM, Nabiałek, Wojciech wrote:

> [root@e-mail wojtek]# (for x in {1..200} ; do echo "for x$x in ; do :"; done; 
> for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 
> vulnerable, word_lineno"
> bash: line 2: `x{1..200}': not a valid identifier
> CVE-2014-7187 vulnerable, word_lineno

Yeah, that's a flawed test.  I'm sure the author never thought that the
test would be run by a shell that didn't implement brace expansion, but
you managed to do it.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@case.edu    http://cnswww.cns.cwru.edu/~chet/

[Prev in Thread]

Current Thread

[Next in Thread]

CVE-2014-7187, Nabiałek , Wojciech, 2014/10/10
- Re: CVE-2014-7187, Chet Ramey, 2014/10/10
  - RE: CVE-2014-7187, Nabiałek , Wojciech, 2014/10/10
    - Re: CVE-2014-7187, Greg Wooledge, 2014/10/10
    - Re: CVE-2014-7187, Chet Ramey <=
    - Re: CVE-2014-7187, Eric Blake, 2014/10/10

Prev by Date: Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey)
Next by Date: Re: CVE-2014-7187
Previous by thread: Re: CVE-2014-7187
Next by thread: Re: CVE-2014-7187
Index(es):
- Date
- Thread