bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bash-2.05b-013 appears to not work


From: Eric Blake
Subject: Re: bash-2.05b-013 appears to not work
Date: Fri, 17 Oct 2014 08:28:05 -0600
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1

On 10/17/2014 08:18 AM, Greg Wooledge wrote:
> On Fri, Oct 17, 2014 at 10:10:36AM -0400, Dave Kalaluhi wrote:
>> Locally we are using:
>>
>> (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in
>> {1..200} ; do echo done ; done) | bash ||
>> echo "CVE-2014-7187 vulnerable, word_lineno"
> 
> As mentioned in previous emails on this topic, that test is NOT
> correct for bash 2.05b because it uses the {1..200} syntax which
> was not introduced until bash 3.  Replace it with a C-style for
> loop.

As also mentioned, that test is ONLY for whether you have a parser bug,
and NOT for whether bash is vulnerable.  The test is misleading, and you
should report it to the site where you found it that it is not a good
test, because it gives misleading results.

The following is a better test for whether CVE-2014-7187 can be
exploited to remotely attack your system:

f='() { echo vulnerable; } bash -c f

If it prints:
bash: f: command not found

then your system is not vulnerable, no matter how many other parser bugs
it has (6 parser bugs have been assigned a CVE so far, but there are
probably others as well).

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]