On 25/09/14 10:57, Dean Pemberton wrote:
A newly discovered vulnerability (CVE-2014-6271) in the Bash command-line interpreter poses a critical security risk to Unix and Linux systems. It allows remote code execution.
For those not following the bouncing ball in detail, there are now at least 5 related bash vulnerabilities (the Wikipedia page -- http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 -- is doing reasonable job of tracking new ones as they appear). And at least three rounds of patches (with possibly more to come). In particular CVE-2014-6277 is a relatively old CVE ID, but the details do not seem to have come out. However distros are being urged to patch it, eg: http://lcamtuf.blogspot.co.nz/2014/09/bash-bug-apply-unofficial-patch-now.ht... which says: ".... I've been fuzzing the underlying function parser on the side - and yesterday, bumped into a new parsing issue (CVE-2014-6277) that is almost certainly remotely exploitable and made easier to leverage due to the fact that bash is seldom compiled with ASLR. I'll share the technical details later on; ..." so it is probably be worth keeping an eye out for yet another bash patch. That blog post suggests an unofficial patch which, AFAICT, wraps exported shell functions in a prefix/suffix pair, and that details will be released "Tuesday" (presumably North American Tuesday; so Wednesday here). Ubuntu has pushed patches for the two newest CVE IDs (CVE-2014-7186, CVE-2014-7187; both mentioned in passing in the above link), as well as a "security improvement" which sounds similar to the unofficial patch (but I've not verified is the same). Ewen PS: IMHO it'd also be a good idea to consider whether you want_ bash to be your /bin/sh at this point. bash is not the default /bin/sh on modern Debian Linux or Ubuntu Linux -- both use dash by default. The risk is definitely reduced if your system() calls and "#! /bin/sh" scripts end up running something other than bash. Just saying.