The BASH 4.2 which is, as of this email, on the CBTTape.org is 4.2.0. I.e. unpatched. I have patched up to 4.2.48, which includes the first of the SHELLSHOCK patches. That is the latest patch that I found on the GNU ftp site. I have compiled and tested it on 2.1 and 1.12. It does _NOT_ exhibit the vulnerability mentioned. It still has one glaring problem: I haven't gotten the readline function working completely. That means that command line recall and editing is not totally functional. Some editing things work and other don't. I will post an announcement here when the CBT site is updated. I hope it will be early next week. It all just depends on availability of time to get everything done.
I am very grateful to the IBM people for 2.03 because I basically just upgraded their code to fit into 4.2. So it was not as difficult as it would have been if I had been on my own. I am, at best, a mid-level C programmer. And BASH is not a simple package. Although it was faster than my current attempts on TCL 8.6.2, which I need to update SQLite. Of course, I still want GNU's version of awk, sed, and grep. On Fri, Sep 26, 2014 at 11:49 AM, Ed Jaffe <[email protected]> wrote: > On 9/26/2014 7:04 AM, John McKown wrote: >> >> >> As a bit of an aside, I used the source IBM supplied for the 2.03 >> version to port the 4.2.0(4) version to z/OS. This version is on the >> CBTTape.org site and it __IS__ vulnerable. When I find a patch which >> fits and get the time, I do plan to update the z/OS port of 4.2. I've >> been going down rabbit holes on another project right now. The only >> way that I can see this as an exploit might be if someone used BASH in >> a CGI. > > > Thank you for doing this port and sharing with the z/OS community! > > We still use the 2.03 release that IBM ported years ago. I would dearly like > us to upgrade to 4.2. > > -- > Edward E Jaffe > Phoenix Software International, Inc > 831 Parkview Drive North > El Segundo, CA 90245 > http://www.phoenixsoftware.com/ > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN -- There is nothing more pleasant than traveling and meeting new people! Genghis Khan Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
