[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: bash-2.05b-013 appears to not work
|
From: |
Dave Kalaluhi |
|
Subject: |
Re: bash-2.05b-013 appears to not work |
|
Date: |
Fri, 17 Oct 2014 10:10:36 -0400 |
I guess that would help. I meant to include that in the initial mail,
but alas, running in 50K directions.
Locally we are using:
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in
{1..200} ; do echo done ; done) | bash ||
echo "CVE-2014-7187 vulnerable, word_lineno"
If we run the test via ssh, it is showing patched, however locally is
still showing vulnerable.
Thanks Eric,
Dave
On 10/16/14, Chet Ramey <chet.ramey@case.edu> wrote:
> On 10/16/14, 5:02 PM, Dave Kalaluhi wrote:
>> We have been compiling some of the older versions of bash to fix
>> vulnerabilities, and for the most, has been working.
>>
>> However, when we patch the 013 patch for CVE-2014-7187, and run the
>> nested loop, it's still showing as vulnerable.
>>
>> Has anyone else had a similiar experience?
>
> Since the code that had the off-by-one error was not even in bash-2.05b,
> I'm skeptical that it's vulnerable.
>
> --
> ``The lyf so short, the craft so long to lerne.'' - Chaucer
> ``Ars longa, vita brevis'' - Hippocrates
> Chet Ramey, ITS, CWRU chet@case.edu http://cnswww.cns.cwru.edu/~chet/
>