[TriLUG] Fwd: [ NNSquad ] Bug in Bash shell creates big security hole on anything with *nix in it

Ric Moore wayward4now at gmail.com
Sat Sep 27 14:34:48 EDT 2014 

On 09/24/2014 06:37 PM, Steve Holton wrote:
> Quick summary:
>
> There is an easy test to determine if a Linux or Unix system is vulnerable.
>> To check your system, from a command line, type:
>
> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>> If the system is vulnerable, the output will be:
>> vulnerable
>>   this is a test
>> An unaffected (or patched) system will output:
>> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>>   bash: warning: x: ignoring function definition attempt
>>   bash: error importing function definition for `x'
>>   this is a test
>> The fix is an update to a patched version of the Bash shell. To be safe,
>> administrators should do a blanket update of their versions of Bash in any
>> case.
>
>
>
> ---------- Forwarded message ----------
> From: Lauren Weinstein <lauren at vortex.com>
> Date: Wed, Sep 24, 2014 at 6:02 PM
> Subject: [ NNSquad ] Bug in Bash shell creates big security hole on
> anything with *nix in it
> To: nnsquad at nnsquad.org
>
>
>
> Bug in Bash shell creates big security hole on anything with *nix in it
> Could allow attackers to execute code on Linux, Unix, and Mac OS X
>
> (Ars):
> http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
>
>     "The bug, discovered by Stephane Schazelas, is related to how Bash
>      processes environmental variables passed by the operating system or by
>      a program calling a Bash-based script. If Bash has been configured as
>      the default system shell, it can be used by network-based attackers
>      against servers and other Unix and Linux devices via Web requests,
>      secure shell, telnet sessions, or other programs that use Bash to
>      execute scripts."

Debian Jessie cured that last night with updates. :) Ric

root at iam:/home/ric# env x='() { :;}; echo vulnerable' bash -c "echo this 
is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test


-- 
My father, Victor Moore (Vic) used to say:
"There are two Great Sins in the world...
..the Sin of Ignorance, and the Sin of Stupidity.
Only the former may be overcome." R.I.P. Dad.
Linux user# 44256

More information about the TriLUG mailing list