Re: CVE-2014-7187

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2014-7187

From:	Greg Wooledge
Subject:	Re: CVE-2014-7187
Date:	Fri, 10 Oct 2014 10:07:19 -0400
User-agent:	Mutt/1.4.2.3i

On Fri, Oct 10, 2014 at 02:00:41PM +0000, Nabia??ek, Wojciech wrote:
> Difference is in version number, mine is 4.3.30(3), your 4.3.30(2)

The number in parentheses is simply how many times Bash has been compiled
in the current source tree.  If you apply a new patch and run "make"
again, the number goes up.  It's not actually a different version.

> [root@e-mail wojtek]# (for x in {1..200} ; do echo "for x$x in ; do :"; done; 
> for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 
> vulnerable, word_lineno"
> bash: line 2: `x{1..200}': not a valid identifier
> CVE-2014-7187 vulnerable, word_lineno

Your interactive shell is not Bash (or it's a very OLD Bash), so the
{1..200} was not expanded.  That's why this test failed.

Run it again from within Bash.

And for god's sake, don't do vulnerability testing as root.

[Prev in Thread]

Current Thread

[Next in Thread]

CVE-2014-7187, Nabiałek , Wojciech, 2014/10/10
- Re: CVE-2014-7187, Chet Ramey, 2014/10/10
  - RE: CVE-2014-7187, Nabiałek , Wojciech, 2014/10/10
    - Re: CVE-2014-7187, Greg Wooledge <=
    - Re: CVE-2014-7187, Chet Ramey, 2014/10/10
    - Re: CVE-2014-7187, Eric Blake, 2014/10/10

Prev by Date: RE: CVE-2014-7187
Next by Date: Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey)
Previous by thread: RE: CVE-2014-7187
Next by thread: Re: CVE-2014-7187
Index(es):
- Date
- Thread