Oh... the official source of the commands was:
https://access.redhat.com/articles/1200223, but someone was nice enough to
combine them in: https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c47
On Friday, September 26, 2014 9:00:57 PM UTC-5, Mark Casey wrote:
>
> I'm trying to write an Ansible task to check for both CVE-2014-6271 and
> CVE-2014-7169 as I haven't been able to find one pre-made.
>
> This command should check both but for the life of me I can't get the
> escaped single quote past the parser... I've tried some variants of "shell:
> >" and "shell: |" but no dice.
>
>
> - name: Check for shellshock fix (checks for both CVE-2014-6271 and
>> CVE-2014-7169)
>> shell: cd /tmp && rm -f /tmp/echo && env 'x=() { :;}; echo vulnerable'
>> 'f=() { (a)=>\' bash -c 'echo echo vulnerable'; cat echo
>> args:
>> executable: /bin/bash
>> sudo: no
>> register: shellshock_result2
>> changed_when: False
>> failed_when: "'vulnerable' in shellshock_result2.stderr"
>>
>
> This version gives:
>
> ERROR: There was an error while parsing the task "shell cd /tmp && rm -f
> /tmp/echo && env 'x=() { :;}; echo vulnerable' 'f=() { (a)=>\\' bash -c 'echo
> echo vulnerable'; cat echo".
>> Make sure quotes are matched or escaped properly
>>
>>
>
> I'm assuming the issue is that, if I understand correctly, the second
> exploit partly depends on the mismatched quote arriving unharmed(?) and
> YAML thinks that is bad(?).
>
> Anyone have any ideas or should I just copy it over as a script and run
> that?
>
> Thank you,
> Mark
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/c40d456b-8d1b-40f4-b0a5-95ce4cebe359%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
