[...]
So, to FULLY test whether you are still vulnerable to ShellShock, we
must come up with a test that proves that NO possible function body
assigned to a valid shell variable name can EVER cause bash to invoke
the parser without your consent. For that, I use this (all on one line,
even if my mailer wrapped it):
$ bash -c "export f=1 g='() {'; f() { echo 2;}; export -f f; bash -c
'echo \$f \$g; f; env | grep ^f='"
which is sufficient to test that both normal variables and functions can
both be exported, AND show you whether there is a collision in the
environment. Ideally, you would see the following result (immune to
shell-shock):
1 () {
2
f=1
It may also be possible that your version of bash decided to prohibit
function exports (either permanently, or at least by default while still
giving you a new knob to explicitly turn them back on), in which case
you'd see something like this (also immune to shell-shock):
1 () {
f: bash: f: command not found
f=1
But if you see something like the following, YOU ARE STILL VULNERABLE:
bash: g: line 1: syntax error: unexpected end of file
bash: error importing function definition for `g'
1
2
f=1
f=() { echo 2
By the way, this vulnerable output is what I get when using bash 4.3.26
with no additional patches, which proves upstream bash IS still
vulnerable to CVE-2014-7186, _because_ it invokes the parser on
arbitrary untrusted input that can be assigned to a normal variable.
Red Hat's approach of using 'BASH_FUNC_foo()=() {' instead of 'foo=() {'
as the means for exporting functions is immune to all possible
ShellShock attacks, even if there are other parser bugs, because it is
no longer possible to mix normal variables with arbitrary content with
exported functions in the environment (ALL normal variable contents pass
through unmolested, with no attempt to run the parser on them). In
conclusion, I hope Chet will be providing additional patches soon (both
a patch to fix the CVE-2014-7186 parser bug, and a patch to
once-and-for-all move exported functions into a distinct namespace).