On Wed, Sep 24, 2014 at 11:15 PM, Rainer Jung <rainer.j...@kippdata.de> wrote: > A workaround like > > --- server/util_script.c.orig 2013-09-14 14:12:54.000000000 +0000 > +++ server/util_script.c 2014-09-24 20:35:54.952054361 +0000 > @@ -128,6 +128,12 @@ > } > ++whack; > } > + /* Sanitize leading "()" because of CVE-2014-6271 bash exploit */ > + whack++; > + if (*whack++ == '(' && *whack == ')') {
Don't you mean if (*++whack == '(' && *++whack == ')') instead of the 2 lines above? Otherwise the post incrementation won't be done before the second condition, and the test always be false. > + *whack-- = '_'; > + *whack = '_'; > + } > ++j; > } Regards, Yann.