Fwd: [NZLUG] ALERT: Remote code-exec in bash (CVE-2014-6271)
FYI
---------- Forwarded message ---------- From: Clark Mills c.mills@auckland.ac.nz Date: Thu, Sep 25, 2014 at 8:33 AM Subject: Re: [NZLUG] ALERT: Remote code-exec in bash (CVE-2014-6271) To: NZ Linux Users Group nzlug@lists.nzoss.org.nz
[ from /. thread ]
This is the test to see if you are vulnerable:
env x='() {:;}; echo vulnerable' bash -c "echo this is a test"
On 25/09/14 08:16, Jaco wrote:
bash is borked.
http://www.csoonline.com/article/2687265/application-security/remote-exploit...
This bad. This is very, VERY bad.
Please go patch!
_______________________________________________ NZLUG mailing list NZLUG@lists.nzoss.org.nz http://lists.nzoss.org.nz/mailman/listinfo/nzlug
On Thu, Sep 25, 2014 at 08:49:24AM +1200, Peter Reutemann wrote:
[ from /. thread ]
This is the test to see if you are vulnerable:
env x='() {:;}; echo vulnerable' bash -c "echo this is a test"
And what should we see if we are vulnerable? My running of that just prints out syntax errors and then runs the echo command. The printing out of syntax errors does seem strange, as I would have expected the guff in the single quotes to be verbatim assigned to x without any globbing or variable substitution. But I am no expert in bash having learnt most of my Unix foo on Solaris and Tru64 Unix running csh.
Cheers Michael.
[ from /. thread ]
This is the test to see if you are vulnerable:
env x='() {:;}; echo vulnerable' bash -c "echo this is a test"And what should we see if we are vulnerable? My running of that just prints out syntax errors and then runs the echo command. The printing out of syntax errors does seem strange, as I would have expected the guff in the single quotes to be verbatim assigned to x without any globbing or variable substitution. But I am no expert in bash having learnt most of my Unix foo on Solaris and Tru64 Unix running csh.
Bad: vulnerable this is a test
Good: this is a test
Source: http://linux.slashdot.org/comments.pl?sid=5750159&cid=47985837
Cheers, Peter
On 25 September 2014 09:24, Peter Reutemann fracpete@waikato.ac.nz wrote:
[ from /. thread ]
This is the test to see if you are vulnerable:
env x='() {:;}; echo vulnerable' bash -c "echo this is a test"And what should we see if we are vulnerable? My running of that just prints out syntax errors and then runs the echo command. The printing out of syntax errors does seem strange, as I would have expected the guff in the single quotes to be verbatim assigned to x without any globbing or variable substitution. But I am no expert in bash having learnt most of my Unix foo on Solaris and Tru64 Unix running csh.
Bad: vulnerable this is a test
Good: this is a test
Source: http://linux.slashdot.org/comments.pl?sid=5750159&cid=47985837
There is also the redhat FAQ that has a lot of helpful information:
https://access.redhat.com/articles/1200223
Cheers, Warren.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 25/09/14 07:58, Wazzä wrote:
There is also the redhat FAQ that has a lot of helpful information:
Instructions for updating Fedora, if you don’t want to wait for the updates to make their way through the signing and mirroring systems.
http://fedoramagazine.org/flaw-discovered-in-the-bash-shell-update-your-fedo...
- -- Simon Green Software Engineer Red Hat Asia Pacific Pty Ltd
participants (4)
-
Michael Cree -
Peter Reutemann -
Simon Green -
Wazzä