Updated: bash-4.1.16-8
Eric Blake
eblake@redhat.com
Fri Oct 3 04:24:00 GMT 2014
On 10/02/2014 09:44 PM, Eric Blake (cygwin) wrote:
> To avoid confusion, the following test unambiguously tests if you are
> vulnerable to ShellShock:
> $ env 'x=() { echo vulnerable; }' bash -c x
>
> If it prints "x: command not found", your version of bash is safe and
> not subject to remote exploits. If it prints "vulnerable", you need to
> upgrade now.
D'oh - it was pointed out to me that on systems where the X server is
installed, the command 'x' might actually attempt to fire up an X server
rather than reporting command not found. Don't worry - that's also a
sign that you are NOT vulnerable (the attempt to define a function to
mask out an existing command did not succeed).
But it's better to write a probe that is less likely to conflict with a
real command:
$ env 'nosuch=() { echo vulnerable; }' bash -c nosuch
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 539 bytes
Desc: OpenPGP digital signature
URL: <http://cygwin.com/pipermail/cygwin/attachments/20141003/10320e92/attachment.sig>
More information about the Cygwin
mailing list