[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: bash-2.05b-013 appears to not work
From: |
Eric Blake |
Subject: |
Re: bash-2.05b-013 appears to not work |
Date: |
Fri, 17 Oct 2014 08:28:05 -0600 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 |
On 10/17/2014 08:18 AM, Greg Wooledge wrote:
> On Fri, Oct 17, 2014 at 10:10:36AM -0400, Dave Kalaluhi wrote:
>> Locally we are using:
>>
>> (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in
>> {1..200} ; do echo done ; done) | bash ||
>> echo "CVE-2014-7187 vulnerable, word_lineno"
>
> As mentioned in previous emails on this topic, that test is NOT
> correct for bash 2.05b because it uses the {1..200} syntax which
> was not introduced until bash 3. Replace it with a C-style for
> loop.
As also mentioned, that test is ONLY for whether you have a parser bug,
and NOT for whether bash is vulnerable. The test is misleading, and you
should report it to the site where you found it that it is not a good
test, because it gives misleading results.
The following is a better test for whether CVE-2014-7187 can be
exploited to remotely attack your system:
f='() { echo vulnerable; } bash -c f
If it prints:
bash: f: command not found
then your system is not vulnerable, no matter how many other parser bugs
it has (6 parser bugs have been assigned a CVE so far, but there are
probably others as well).
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature