bash velnerability
Mike Tancsa
mike at sentex.net
Mon Sep 29 16:02:06 UTC 2014
On 9/26/2014 5:01 PM, Bryan Drewery wrote:
> On 9/26/2014 12:41 PM, Bryan Drewery wrote:
>> On 9/26/2014 11:51 AM, Bryan Drewery wrote:
>>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
>>>> Apparently, the full fix is still not delivered, accordingly to this:
>>>> http://seclists.org/oss-sec/2014/q3/741
>>>>
>>>> Kind regards,
>>>> Bartek Rutkowski
>>>>
>>>
>>> I'm pretty sure they call that a "feature". This is a bit different.
>
> I've disabled environment function importing in the port. Using
> --import-functions will allow it to work if you need it.
Hi Bryan,
With the latest ports, bashcheck still sees some issues with bash. Are
these false positives on FreeBSD ?
Using
https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash
-c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the freebsd-security
mailing list