[GLLUG] Bash Bug

Iain M Conochie iain at shihad.org
Thu Sep 25 15:54:34 UTC 2014


On 25/09/14 16:25, James Roberts wrote:
> On 25/09/14 10:14, Sunny Aujla wrote:
>> Thought I'd share this with everyone.
>>
>> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ 
>>
>
> I've just about finished checking all our systems and so far it's a 
> Red Hat/CentOS only issue and there's a (possibly transitional but at 
> least working for now) patch.
> <snip>
Sorry mate, but this is a bash bug, and is not confined only to RHEL / 
CentOS:


 >$ env x='() { :;}; \
echo vulnerable'  bash -c "echo this is a test"
vulnerable
this is a test
 >$ cat /etc/debian_version
6.0.10
 >$ bash --version
GNU bash, version 4.1.5(1)-release (i486-pc-linux-gnu)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
<http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Also saw that the patch may not totally fix things too. Worrying days 
(again) if you run an internet facing
web server :(


http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

Cheers

Iain





More information about the GLLUG mailing list