* Re: Updated: bash-4.1.16-8
[not found] <542E1B8C.7070807@byu.net>
@ 2014-10-03 4:24 ` Eric Blake
0 siblings, 0 replies; only message in thread
From: Eric Blake @ 2014-10-03 4:24 UTC (permalink / raw)
To: The Cygwin Mailing List
[-- Attachment #1: Type: text/plain, Size: 972 bytes --]
On 10/02/2014 09:44 PM, Eric Blake (cygwin) wrote:
> To avoid confusion, the following test unambiguously tests if you are
> vulnerable to ShellShock:
> $ env 'x=() { echo vulnerable; }' bash -c x
>
> If it prints "x: command not found", your version of bash is safe and
> not subject to remote exploits. If it prints "vulnerable", you need to
> upgrade now.
D'oh - it was pointed out to me that on systems where the X server is
installed, the command 'x' might actually attempt to fire up an X server
rather than reporting command not found. Don't worry - that's also a
sign that you are NOT vulnerable (the attempt to define a function to
mask out an existing command did not succeed).
But it's better to write a probe that is less likely to conflict with a
real command:
$ env 'nosuch=() { echo vulnerable; }' bash -c nosuch
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 539 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2014-10-03 4:24 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <542E1B8C.7070807@byu.net>
2014-10-03 4:24 ` Updated: bash-4.1.16-8 Eric Blake
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).