These patches build and run without problem in our initial bash2 tests.
However, I notice that both the version number reported by ./bash --version and
doing ./bash followed by echo $BASH_VERSION both report "2.05b.0(1)-release".
All versions that I've tested of bash3 and bash4 report their patchlevel in the
third field. If I manually update patchlevel.h to change from 0 to 9, the
version is reported as '2.05b.((1)-release'. Bug?
Steve
On Sep 26, 2014, at 10:47 AM, Chet Ramey <chet.ra...@case.edu> wrote:
> On 9/26/14, 4:53 AM, Jean-Christian de Rivaz wrote:
>> Hello,
>>
>> While this can seem completely obsolete, I still have machines running bash
>> 2.05b (Debian etch). I worry about upgrading to bash 3.x because of some
>> backward compatibility issue.
>> It there any reason why there was no patch for bash 2.05b ? The test
>> command below show that the bug also affect this version:
>>
>> j$ bash --version
>> GNU bash, version 2.05b.0(1)-release (i386-pc-linux-gnu)
>> Copyright (C) 2002 Free Software Foundation, Inc.
>> j$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>> vulnerable
>> this is a test
>
> Here's one. Two, actually, one for each CVE.
>
> --
> ``The lyf so short, the craft so long to lerne.'' - Chaucer
> ``Ars longa, vita brevis'' - Hippocrates
> Chet Ramey, ITS, CWRU c...@case.edu http://cnswww.cns.cwru.edu/~chet/
> <bash205b-008.txt><bash205b-009.txt>
