* Re: Updated: bash-4.1.16-8 [not found] <542E1B8C.7070807@byu.net> @ 2014-10-03 4:24 ` Eric Blake 0 siblings, 0 replies; only message in thread From: Eric Blake @ 2014-10-03 4:24 UTC (permalink / raw) To: The Cygwin Mailing List [-- Attachment #1: Type: text/plain, Size: 972 bytes --] On 10/02/2014 09:44 PM, Eric Blake (cygwin) wrote: > To avoid confusion, the following test unambiguously tests if you are > vulnerable to ShellShock: > $ env 'x=() { echo vulnerable; }' bash -c x > > If it prints "x: command not found", your version of bash is safe and > not subject to remote exploits. If it prints "vulnerable", you need to > upgrade now. D'oh - it was pointed out to me that on systems where the X server is installed, the command 'x' might actually attempt to fire up an X server rather than reporting command not found. Don't worry - that's also a sign that you are NOT vulnerable (the attempt to define a function to mask out an existing command did not succeed). But it's better to write a probe that is less likely to conflict with a real command: $ env 'nosuch=() { echo vulnerable; }' bash -c nosuch -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 539 bytes --] ^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2014-10-03 4:24 UTC | newest] Thread overview: (only message) (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <542E1B8C.7070807@byu.net> 2014-10-03 4:24 ` Updated: bash-4.1.16-8 Eric Blake
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).