cygwin bash and Shellshock / CVE-2014-6271 & CVE-2014-7169
Richard DeFuria
rdefuria@belarc.com
Fri Sep 26 20:06:00 GMT 2014
Hello,
I downloaded the latest setup and installed the latest packages on my Win8.1
x64 box.
It seems as though my cygwin bash shell has been patched against
CVE-2014-6271 as per:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
However, it is still susceptible to CVE-2014-7169 as per:
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Fri, Sep 26, 2014 3:23:15 PM
That is, the 'original' Shellshock vulnerability is fixed, but not the 'new'
Shellshock vulnerability.
Is this correct?
Other info:
cygcheck.out is attached
$ bash --version
GNU bash, version 4.1.11(5)-release (x86_64-unknown-cygwin)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cygcheck.out
Type: application/octet-stream
Size: 55291 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20140926/5f009fa2/attachment.obj>
-------------- next part --------------
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list