[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE-2014-7187
|
From: |
Chet Ramey |
|
Subject: |
Re: CVE-2014-7187 |
|
Date: |
Fri, 10 Oct 2014 09:37:16 -0400 |
|
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 |
On 10/10/14, 4:03 AM, Nabiałek, Wojciech wrote:
> Hi,
>
> Bash 4.3 after patch 30 is still vulnerable for shellshock CVE-2014-7187.
No, it's not.
> (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ;
> do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"
I'm curious about what you think this demonstrates, but in the meantime:
$ ./bash --version
GNU bash, version 4.3.30(2)-release (x86_64-unknown-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
$ (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200}
; do echo done ; done) | ./bash
$ echo $?
0
Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU chet@case.edu http://cnswww.cns.cwru.edu/~chet/
- CVE-2014-7187, Nabiałek , Wojciech, 2014/10/10
- Re: CVE-2014-7187,
Chet Ramey <=