[GLLUG] Bash Bug

Sharon Kimble boudiccas at skimble.plus.com
Thu Sep 25 18:35:21 UTC 2014


Iain M Conochie <iain at shihad.org> writes:

> On 25/09/14 16:25, James Roberts wrote:
>> On 25/09/14 10:14, Sunny Aujla wrote:
>>> Thought I'd share this with everyone.
>>>
>>> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ 
>>>
>>
>> I've just about finished checking all our systems and so far it's a
>> Red Hat/CentOS only issue and there's a (possibly transitional but
>> at least working for now) patch.
>> <snip>
> Sorry mate, but this is a bash bug, and is not confined only to RHEL /
> CentOS:
>
>
>>$ env x='() { :;}; \
> echo vulnerable'  bash -c "echo this is a test"
> vulnerable
> this is a test
>>$ cat /etc/debian_version
> 6.0.10
>>$ bash --version
> GNU bash, version 4.1.5(1)-release (i486-pc-linux-gnu)
> Copyright (C) 2009 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> <http://gnu.org/licenses/gpl.html>
>
> This is free software; you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Also saw that the patch may not totally fix things too. Worrying days
> (again) if you run an internet facing
> web server :(
>
>

Jessie's bash shows -

--8<---------------cut here---------------start------------->8---
GNU bash, version 4.3.24(1)-release (i586-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
--8<---------------cut here---------------end--------------->8---

And it fails the test, unfortunately.

Sharon.
-- 
A taste of linux = http://www.sharons.org.uk
my git repo = https://bitbucket.org/boudiccas/dots
TGmeds = http://www.tgmeds.org.uk
Debian testing, fluxbox 1.3.5, emacs 24.3.93.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20140925/c83c765b/attachment.pgp>


More information about the GLLUG mailing list