Hacker News new | past | comments | ask | show | jobs | submit login

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

From https://securityblog.redhat.com/2014/09/24/bash-specially-cr...




Oh damn:

curl -H 'User-Agent: () { :;}; echo; echo vulnerable to CVE-2014-6271' <shell script CGI URL>

Tested and working against a shell script CGI.


Whoa. I tried this, ran pacaur -Suy and .. it's patched.

Arch was fast.


If you're on Arch, you might want to think about using dash as your /usr/bin/sh after updating, see [0].

[0] https://wiki.archlinux.org/index.php/Dash


Also make sure your mirror is up to date. When I updated this morning, osuosl was out of date (and still is as of this comment: https://www.archlinux.org/mirrors/osuosl.org/125/)


    $ x='() { :;}; echo vulnerable' bash -c 'echo test'
    vulnerable
    test
    $ pacman -Syu
    ...
    $ x='() { :;}; echo vulnerable' bash -c 'echo test'
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    test
Benefits of using an OS with a real package manager.


Just don't turn it off after you've ran `pacman -Syu`, it will never boot again ;)


I know you're just teasing, but I've got a machine with an arch install from over two years ago that's still running great. Just did an -Syyu to get bash updated.


The trick is to keep up with the updates, do pacman -Syu every two weeks or so, and not wait months.


After it happened 5 times in a row, I finally just aliased pacman -Syu to "breakX".


I learned today that some mirrors update their package database a lot faster than others. Had to switch mirrors to get the new bash.

https://www.archlinux.org/mirrors/status/


It's fixed in Debian as well.


only in wheezy (security) right now.

squeeze. jessie and wheezy are still vulnerable.

https://security-tracker.debian.org/tracker/CVE-2014-6271


squeeze is not supported anymore but you can use squeeze-lts.

It's been uploaded to squeeze-lts but has not reached the mirrors.

You can get it manually from http://incoming.debian.org/debian-buildd/pool/main/b/bash/ if you can't wait.


I've got a Debian VM I maintain for giggles, and just out of masochism I've been running "apt-get update" and "apt-get upgrade" for a while and watching nothing change.. Am I doing something wrong or is the whole process just slow?

    deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
    deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free


You probably have:

    APT::Default-Release "squeeze";
In a configuration somewhere. Check /etc/apt and the various files in the subdirectories of that.

If you have that line remove it or change it to squeeze-lts


I am not so sure. Debian sid (i386) with current updates, the example test shows I am still vulnerable. 4.3-9 bash


I ran

    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
and got

    vulnerable
    this is a test
so I did

    apt-get update
    apt-get install bash
and now I get

    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test
bash version 4.2.37(1)-release

Edited: Seems like jvreeland has a clearer picture: https://news.ycombinator.com/item?id=8362309


Yeah, I was current yesterday and I'm current today, with both apt-get update and upgrades. Your version number is lower than mine, you must be on either stable or testing.

ii bash 4.3-9 i386 GNU Bourne Again SHell

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

vulnerable this is a test

From the FAQ:

> Does sid have security updates?

Not in the same sense that stable does. If the maintainer of a package fixes a security bug and uploads the package, it'll go into sid by the normal means. If the maintainer doesn't do that, then it won't. The security team only covers stable (and possibly testing... there's a pending issue for that case).


sid/unstable had a fix uploaded ~3 hrs ago fwiw (after you made your comment).


Only for amd64 though, ctrl+f for "4.3-9.1": http://ftp.debian.org/debian/pool/main/b/bash/


Yep. A current i386 debian is still vulnerable, some hours later. Curses.

Edit: I see that even those who got the patch are in fact still vulnerable.


http://seclists.org/oss-sec/2014/q3/672

Still vulnerable.

env X='() { (lol)=>\' bash -c "echo id"; cat echo




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: