Fix test for CVE-2014-6277 to be a function import test from environment... #23

…ent. Bash 4.3.28 currently does crash with the example scripts for both CVE-2014-6277 and CVE-2014-6278 with no patch[1], but it will not run any code from them without specially setting up the environment to use the prefixing. Both CVE are documented as specifically environment issues; if you can pass bad code directly to bash -c then the attacker has already won. The check must involve the environment or it will needlessly scare users who have deployed appropriate mitigations. For example, on FreeBSD (and NetBSD) we have disabled all function importing from the environment. So this test passes fine on our bash versions. The syntax used here is to check the return value to see if it crashed, while hiding the core dump messages. There's no code execution proven for CVE-2014-6277 yet so there is no output that can be checked against. Switch the test to more closely match the examples from the disclosure [2]. [1] http://www.openwall.com/lists/oss-security/2014/10/01/25 [2] http://lcamtuf.blogspot.de/2014/10/bash-bug-how-we-finally-cracked.html

These are seen to not be worth testing and scaring people over[1][2]. Plus there is currently no patch to fix them. [1] http://www.openwall.com/lists/oss-security/2014/10/02/4 [2] http://www.openwall.com/lists/oss-security/2014/10/02/5

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix test for CVE-2014-6277 to be a function import test from environment... #23

Fix test for CVE-2014-6277 to be a function import test from environment... #23

Commits on Oct 2, 2014