Hey guys,
according to a twitter post
(https://twitter.com/taviso/status/514887394294652929) , the patch which came
out last night is still vulnerable:
this part was fixed by 4.2+dfsg-0.1+deb7u1:
de...@bortfeldt.net:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is
a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
but this is still useable:
denny@dbortfeldt:~$ env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat
echo)" == "vuln" ]] && echo "still vulnerable :("
bash: X: Zeile 1: Syntaxfehler beim unerwarteten Wort »=«
bash: X: Zeile 1: `'
bash: Fehler beim Importieren der Funktionsdefinition für »X«.
still vulnerable :(
Is it possible to fix also the 2nd part so that bash is really not vulnerable
at all? I saw that Gentoo patched the bash also twice.
Thanks in advance.
Sincerely,
Denny
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/6ff2272c0d238a4bbd06e589ab8352c60bd61...@s015011.office.babiel.com
