> env X='() { (a)=>\' bash -c "echo date"; cat echo ; rm -f echo
This gives me a positive on bash-3.2.51 on Mac OS X "Mavericks" 10.9.5 but also
a false positive on a patched bash-4.2.37 on Debian "squeeze" 7.6 (i.e., I get
the date on both).
However, this test (originally from [1]) is a bit more reliable:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
On the same bash from Mac, I get:
bash-3.2$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
vulnerable
hello
bash-3.2$
Whereas on the patched bash on Debian, I get:
bash-4.2$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
bash-4.2$
Enjoy
--k
[1]
http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an/146851#146851
