Date: Wed, 01 Oct 2014 07:32:57 -0700
From: Paul Vixie <paul@...barn.org>
To: Michal Zalewski <lcamtuf@...edump.cx>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] the other bash RCEs (CVE-2014-6277 and CVE-2014-6278)

michal, thank you for your incredibly informative report here. i have a
minor correction.

> Michal Zalewski <mailto:lcamtuf@...edump.cx>
> Wednesday, October 01, 2014 7:21 AM
> ...
>
> Note: over the past few days, Florian's patch has been picked up by
> major Linux distros (Red Hat, Debian, SUSE, etc), so there is a
> reasonable probability that you are in good shape. To test, execute
> this command from within a bash shell:
>
> foo='() { echo not patched; }' bash -c foo

this command need not be executed from within bash. the problem occurs
when bash is run by the command, and the shell that runs the command can
be anything. for example, on a system where i have deliberately not
patched bash, where sh is "ash" (almquist shell):

> $ foo='() { echo not patched; }' bash -c foo
> not patched 

here's me testing it from within tcsh:

> % env foo='() { echo not patched; }' bash -c foo
> not patched
> % (setenv foo '() { echo not patched; }'; bash -c foo)
> not patched

this is a minor issue, but i've found in matters of security bug
reports, tests, and discussions, that any minor matter can lead to deep
misunderstanding.

thanks again for your excellent report, and your continuing work on this
issue.

vixie

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists