This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Updated: bash-4.1.16-8

From: Eric Blake <eblake at redhat dot com>
To: The Cygwin Mailing List <cygwin at cygwin dot com>
Date: Thu, 02 Oct 2014 22:24:25 -0600
Subject: Re: Updated: bash-4.1.16-8
Authentication-results: sourceware.org; auth=none
Openpgp: url=http://people.redhat.com/eblake/eblake.gpg
References: <542E1B8C dot 7070807 at byu dot net>

On 10/02/2014 09:44 PM, Eric Blake (cygwin) wrote:

> To avoid confusion, the following test unambiguously tests if you are
> vulnerable to ShellShock:
> $ env 'x=() { echo vulnerable; }' bash -c x
> 
> If it prints "x: command not found", your version of bash is safe and
> not subject to remote exploits.  If it prints "vulnerable", you need to
> upgrade now.

D'oh - it was pointed out to me that on systems where the X server is
installed, the command 'x' might actually attempt to fire up an X server
rather than reporting command not found.  Don't worry - that's also a
sign that you are NOT vulnerable (the attempt to define a function to
mask out an existing command did not succeed).

But it's better to write a probe that is less likely to conflict with a
real command:

$ env 'nosuch=() { echo vulnerable; }' bash -c nosuch

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]