"Be aware that there are multiple problems. The main one was patched Wednesday in major distributions, but other problems were patched Thursday and this morning.
Presence of the additional problems can be tested with the following — yes, this is correct, even though the text looks mangled because of a missing } and other things; http://pastebin.com/PpgwgEfR
If you see the current date and time printed (along with error messages), CVE-2014-7169 is still present. If you see only error messages, you’re safe."
patti@linux-l8th:~> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
patti@linux-l8th:~> env X='() { (a)=>\' sh -c "echo date"; cat echo; rm echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Fri Sep 26 13:35:44 PDT 2014
patti@linux-l8th:~>
That is the most common mistake. ie. if you write POSIX sh syntax then it will work with #!/bin/bash header (or where your bash resides)
but not the other way around ;).
Sigh.
I just did exactly the same as in the original post, to show that the bug should be fixed in the official packages as well already.
And as you can see in the original post, the vulnerability was there with sh as well, posix compatibility mode or not.
But ok, here again with bash:
Are you satisfied now?
A sidenote: for running sh -c “echo date”, it shouldn’t matter whether you use sh (bash in sh mode) or bash at all. There is absolutely no (possibly changed) shell syntax involved here.
Install all recent updates, and you should not need to worry, I’d say…
I’m not sure if all vulnerabilities are fixed by now, but the one you asked about definitely is.
If other patches are still necessary, they will be released as updates as well ASAP.
–
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-21-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
hp-g7-2248sg<2014Sep27><18:12><~> env X='() { (a)=>\' bash -c "echo date"; cat echo; rm echo
date
Sat Sep 27 11:28:54 CEST 2014
hp-g7-2248sg<2014Sep27><18:25><~> rpm -qi bash
Name : bash
Version : 4.2
Release : 245.1
Architecture: x86_64
Install Date: Sat 27 Sep 2014 11:35:57 CEST
Group : System/Shells
Size : 720785
License : GPL-3.0+
Signature : RSA/SHA1, Fri 26 Sep 2014 15:01:51 CEST, Key ID 88eb5d66e2c0098c
Source RPM : bash-4.2-245.1.src.rpm
Build Date : Fri 26 Sep 2014 15:00:50 CEST
Build Host : build10
Relocations : (not relocatable)
Vendor : obs://build.opensuse.org/Base:System
URL : http://www.gnu.org/software/bash/bash.html
Summary : The GNU Bourne-Again Shell
Description :
Bash is an sh-compatible command interpreter that executes commands
read from standard input or from a file. Bash incorporates useful
features from the Korn and C shells (ksh and csh). Bash is intended to
be a conformant implementation of the IEEE Posix Shell and Tools
specification (IEEE Working Group 1003.2).
Distribution: Base:System / openSUSE_Factory
hp-g7-2248sg<2014Sep27><18:26><~>
hp-g7-2248sg<2014Sep27><18:38><~> env X='() { (a)=>\' bash -c "echo date"; cat echo; rm echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
Sat 27 Sep 18:38:39 CEST 2014
hp-g7-2248sg<2014Sep27><18:38><~>
hp-g7-2248sg<2014Sep27><18:38><~> rpm -qi bash
Name : bash
Version : 4.3
Release : 13.1
Architecture: x86_64
Install Date: Sat 27 Sep 2014 18:35:32 CEST
Group : System/Shells
Size : 764301
License : GPL-3.0+
Signature : DSA/SHA1, Fri 26 Sep 2014 10:54:56 CEST, Key ID 85cfe451b91e1e8b
Source RPM : bash-4.3-13.1.src.rpm
Build Date : Fri 26 Sep 2014 10:54:22 CEST
Build Host : build21
Relocations : (not relocatable)
Vendor : obs://build.opensuse.org/shells
URL : http://www.gnu.org/software/bash/bash.html
Summary : The GNU Bourne-Again Shell
Description :
Bash is an sh-compatible command interpreter that executes commands
read from standard input or from a file. Bash incorporates useful
features from the Korn and C shells (ksh and csh). Bash is intended to
be a conformant implementation of the IEEE Posix Shell and Tools
specification (IEEE Working Group 1003.2).
Distribution: shells / openSUSE_Factory
hp-g7-2248sg<2014Sep27><18:40><~>
AFAICS, that version contains the exact same patches as the 13.1 update.
So you should get the same error messages as others in this thread have shown already.
Have you rebooted your system? You need to restart bash to run the fixed version. A running instance will still contain the vulnerability after you installed the update.
both looked bad, the laptop only booted 1 in about 6 tries, with the latter bash,
so re-installed the prior bash
this output now looks to be fine
hp-g7-2248sg<2014Sep27><22:42><~> env X='() { (a)=>\' bash -c "echo date"; cat echo; rm echo
date
cat: echo: No such file or directory
rm: cannot remove ‘echo’: No such file or directory
hp-g7-2248sg<2014Sep27><22:43><~>
also no problems booting now
maybe this is a one off, sorry for the inconvenience