[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bash-4.2 Official Patch 49
|
From: |
Eric Blake |
|
Subject: |
Re: Bash-4.2 Official Patch 49 |
|
Date: |
Sat, 27 Sep 2014 00:25:01 -0600 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 |
On 09/26/2014 11:00 PM, V S, Nagendra (Nonstop Filesystems Team) wrote:
> Hi Chet,
> Thanks a lot for the patch.
>
> The official bash patch & the patch that you posted on openwall forum seems
> to be different. The official bash patch does not contain this
>
> *** ../bash-4.2.48/y.tab.c 2012-12-31 11:53:10.000000000 -0500
> --- y.tab.c 2014-09-25 20:23:25.000000000 -0400
y.tab.c is a generated file, and will automatically be patched IF your
build environment contains a working bison. The openwall forum listed a
working directory that had both the .y and generated .c file changes in
one listing, although the official patch is just the minimum change. If
you are worried, check that your generated .c file contains the added
line. At any rate, the existing tests to tell if CVE-2014-7186 has been
fixed for your particular build of bash won't lie - if those tests say
you are not vulnerable to this particular aspect of ShellShock, then the
patch was applied correctly.
Still, please bear in mind that ShellShock has multiple heads. Read
this for more details why you need more than patch 49, before you can
consider yourself fully immune to ShellShock:
https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00238.html
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature