On 10/02/2014 09:44 PM, Eric Blake (cygwin) wrote:

> To avoid confusion, the following test unambiguously tests if you are
> vulnerable to ShellShock:
> $ env 'x=() { echo vulnerable; }' bash -c x
> 
> If it prints "x: command not found", your version of bash is safe and
> not subject to remote exploits.  If it prints "vulnerable", you need to
> upgrade now.

D'oh - it was pointed out to me that on systems where the X server is
installed, the command 'x' might actually attempt to fire up an X server
rather than reporting command not found.  Don't worry - that's also a
sign that you are NOT vulnerable (the attempt to define a function to
mask out an existing command did not succeed).

But it's better to write a probe that is less likely to conflict with a
real command:

$ env 'nosuch=() { echo vulnerable; }' bash -c nosuch


-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org