[olug] Bash Bug Info

Lou Duchez lou at paprikash.com
Thu Sep 25 12:08:24 CDT 2014


I'm pretty sure you're okay; take a look at this page:

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

More or less the same test as you were running, and they are explicit 
that it's not a problem if you get the final "echo" message, provided it 
craps out on the function definition attempt.

> I just ran the test script below - ok needed updates.
>
> Did the updates, reran the script
>
> Now I'm getting error importing x  but Hello is still echoed at the end.
>
> Is this expected?
>
> The system claims no more updates marked needed.
>
> Thanks
> ---- jay swackhamer <reboottheuser at gmail.com> wrote:
> Has anyone ever thought that a vulnerability announcement like this, would
> be an efficient way to deliver another vulnerability inside the package,
> and guarantee that most will install it on their systems?
>
> On Thu, Sep 25, 2014 at 6:26 AM, Brian Roberson <roberson at bstc.net> wrote:
>
>> Busy day for all us sys admins.
>>
>> Quick vulnerability check:
>>
>> env x='() { :;}; echo vulnerable' bash -c 'echo hello'
>>
>>
>> if you get anything but an error, you need to patch quickly!
>>
>>
>> http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
>>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug



More information about the OLUG mailing list