Bash ShellShock bug(s)
n j
nino80 at gmail.com
Mon Sep 29 09:26:55 UTC 2014
Hi,
On Mon, Sep 29, 2014 at 9:55 AM, Patrick Proniewski <patpro at patpro.net>
wrote:
>
> On 29 sept. 2014, at 09:34, Кулешов Алексей <rndfax at yandex.ru> wrote:
>
> > Right. Okay then, here it is:
> >
> > # pkg remove bash
> > ... change 'bash' to 'sh' in bashcheck ...
> > # sh bashcheck
> > Not vulnerable to CVE-2014-6271 (original shellshock)
> > Not vulnerable to CVE-2014-7169 (taviso bug)
> > Not vulnerable to CVE-2014-7186 (redir_stack bug)
> > Vulnerable to CVE-2014-7187 (nessted loops off by one)
> > Variable function parser inactive, likely safe from unknown parser bugs
> >
> > So, there is no bash on my system anymore, but script says it has one
> vulnerability.
> > Is it actually vulnerability or it's me who must take a good sleep? :)
>
> This is odd. As far as I know, no one reported sh as being vulnerable to
> CVE-2014-7187. But may be it's only on FreeBSD... I don't have an answer to
> that.
>
I'd say the test is not relevant for sh. The line that tests for
CVE-2014-7187 uses {1..200} construct which is not understood by sh.
E.g.
sh$ for i in {1..5}; do echo -n $i; done
{1..5}
bash$ for i in {1..5}; do echo -n $i; done
12345
Br,
--
Nino
More information about the freebsd-security
mailing list