[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bash-4.3 Official Patch 25 Bug 896776 - (CVE-2014-6271)
|
From: |
Ralf Naegele |
|
Subject: |
Re: Bash-4.3 Official Patch 25 Bug 896776 - (CVE-2014-6271) |
|
Date: |
Fri, 26 Sep 2014 10:01:35 +0200 (CEST) |
Yes, you are right. It was my error. I've successfully tested now the
patched bash and it is working now as expected. Thanks for your help!
Regards,
Ralf
On Fri, 26 Sep 2014, Alexandre FERRIEUX - SOFT/LAN wrote:
> Date: Fri, 26 Sep 2014 08:30:41 +0200
> From: Alexandre FERRIEUX - SOFT/LAN <alexandre.ferrieux@orange.com>
> To: Ralf Naegele <ralf.naegele@she.net>
> Cc: "Eduardo A. Bustamante López" <dualbus@gmail.com>, bug-bash@gnu.org
> Subject: Re: Bash-4.3 Official Patch 25 Bug 896776 - (CVE-2014-6271)
>
> On 26/09/2014 08:23, Ralf Naegele wrote:
> > Hello Eduardo,
> >
> > I haven't installed the patched bash yet. I called it in the source
> > directory after compiling, it with ./bash so I think this should start the
> > patched bash.
>
> You started ./bash as the parent reading the offending line, but did you also
> modify it so that ./bash appears inside ?
>
> env x='() { :;}; echo vulnerable' ./bash -c "echo this is a test"
>
>
> This is important since the bug occurs in the child, at init time (within
> shell_initialize_variables)
>
> -Alex
>