On 10/17/2014 08:18 AM, Greg Wooledge wrote:
> On Fri, Oct 17, 2014 at 10:10:36AM -0400, Dave Kalaluhi wrote:
>> Locally we are using:
>>
>> (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in
>> {1..200} ; do echo done ; done) | bash ||
>> echo "CVE-2014-7187 vulnerable, word_lineno"
>
> As mentioned in previous emails on this topic, that test is NOT
> correct for bash 2.05b because it uses the {1..200} syntax which
> was not introduced until bash 3. Replace it with a C-style for
> loop.
As also mentioned, that test is ONLY for whether you have a parser bug,
and NOT for whether bash is vulnerable. The test is misleading, and you
should report it to the site where you found it that it is not a good
test, because it gives misleading results.
The following is a better test for whether CVE-2014-7187 can be
exploited to remotely attack your system:
f='() { echo vulnerable; } bash -c f
If it prints:
bash: f: command not found
then your system is not vulnerable, no matter how many other parser bugs
it has (6 parser bugs have been assigned a CVE so far, but there are
probably others as well).
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
