Thanks very much for the clarification. Bruce B.
On Sat, Sep 27, 2014 at 11:42 AM, <[email protected]> wrote: > > > env X='() { (a)=>\' bash -c "echo date"; cat echo ; rm -f echo > > This gives me a positive on bash-3.2.51 on Mac OS X "Mavericks" 10.9.5 but > also a false positive on a patched bash-4.2.37 on Debian "squeeze" 7.6 > (i.e., I get the date on both). > > However, this test (originally from [1]) is a bit more reliable: > > env x='() { :;}; echo vulnerable' bash -c 'echo hello' > > On the same bash from Mac, I get: > > bash-3.2$ env x='() { :;}; echo vulnerable' bash -c 'echo hello' > vulnerable > hello > bash-3.2$ > > Whereas on the patched bash on Debian, I get: > > bash-4.2$ env x='() { :;}; echo vulnerable' bash -c 'echo hello' > bash: warning: x: ignoring function definition attempt > bash: error importing function definition for `x' > hello > bash-4.2$ > > Enjoy > --k > > [1] > http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an/146851#146851
