Bash ShellShock bug(s)
Kulesho
rndfax at yandex.ru
Mon Sep 29 10:36:35 UTC 2014
Thank you for explanation! Now I can sleep calmly.
29.09.2014, 13:27, "n j" <nino80 at gmail.com>:
> Hi,
>
> On Mon, Sep 29, 2014 at 9:55 AM, Patrick Proniewski <patpro at patpro.net>
> wrote:
>> On 29 sept. 2014, at 09:34, Кулешов Алексей <rndfax at yandex.ru> wrote:
>>> Right. Okay then, here it is:
>>>
>>> # pkg remove bash
>>> ... change 'bash' to 'sh' in bashcheck ...
>>> # sh bashcheck
>>> Not vulnerable to CVE-2014-6271 (original shellshock)
>>> Not vulnerable to CVE-2014-7169 (taviso bug)
>>> Not vulnerable to CVE-2014-7186 (redir_stack bug)
>>> Vulnerable to CVE-2014-7187 (nessted loops off by one)
>>> Variable function parser inactive, likely safe from unknown parser bugs
>>>
>>> So, there is no bash on my system anymore, but script says it has one
>> vulnerability.
>>> Is it actually vulnerability or it's me who must take a good sleep? :)
>> This is odd. As far as I know, no one reported sh as being vulnerable to
>> CVE-2014-7187. But may be it's only on FreeBSD... I don't have an answer to
>> that.
>
> I'd say the test is not relevant for sh. The line that tests for
> CVE-2014-7187 uses {1..200} construct which is not understood by sh.
>
> E.g.
> sh$ for i in {1..5}; do echo -n $i; done
> {1..5}
> bash$ for i in {1..5}; do echo -n $i; done
> 12345
>
> Br,
> --
> Nino
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
More information about the freebsd-security
mailing list