On 09/24/2014 03:56 PM, Patrick O'Callaghan wrote:
http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-sec...
From the article:
The vulnerability affects versions 1.14 through 4.3 of GNU Bash. [...]
To check your system, from a command line, type:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the system is vulnerable, the output will be:
vulnerable
this is a test
An unaffected (or patched) system will output:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
I tried it and got the positive (vulnerable) result.
Can we assume a patched version of Bash will be released shortly?
poc
Where can I get the official patches for:
CVE-2014-6271
CVE-2014-7169
and once I get these patches, how can I add the details into the bash
spec file?
Once I get the information, I should be ready to go.