[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bash 2.05b patch for 896776 - (CVE-2014-6271) ?

From: Steve Simmons
Subject: Re: Bash 2.05b patch for 896776 - (CVE-2014-6271) ?
Date: Fri, 26 Sep 2014 12:55:43 -0400

These patches build and run without problem in our initial bash2 tests. 
However, I notice that both the version number reported by ./bash --version and 
doing ./bash followed by echo $BASH_VERSION both report "2.05b.0(1)-release". 
All versions that I've tested of bash3 and bash4 report their patchlevel in the 
third field. If I manually update patchlevel.h to change from 0 to 9, the 
version is reported as '2.05b.((1)-release'. Bug?


On Sep 26, 2014, at 10:47 AM, Chet Ramey <address@hidden> wrote:

> On 9/26/14, 4:53 AM, Jean-Christian de Rivaz wrote:
>> Hello,
>> While this can seem completely obsolete, I still have machines running bash
>> 2.05b (Debian etch). I worry about upgrading to bash 3.x because of some
>> backward compatibility issue.
>> It there any reason why there was no patch for bash 2.05b ? The test
>> command below show that the bug also affect this version:
>> j$ bash --version
>> GNU bash, version 2.05b.0(1)-release (i386-pc-linux-gnu)
>> Copyright (C) 2002 Free Software Foundation, Inc.
>> j$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>> vulnerable
>> this is a test
> Here's one.  Two, actually, one for each CVE.
> -- 
> ``The lyf so short, the craft so long to lerne.'' - Chaucer
>                ``Ars longa, vita brevis'' - Hippocrates
> Chet Ramey, ITS, CWRU    address@hidden    http://cnswww.cns.cwru.edu/~chet/
> <bash205b-008.txt><bash205b-009.txt>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]