Re: bash velnerability

Tue, 30 Sep 2014 14:49:31 -0700 

I would agree with that. Considering the korn shell was found out to be 
importing functions from bash this morning that it does not completely know how 
to interpret goes to say that there is a much bigger issue at face here than 
the mere sys admins can begin to fathom quite yet.

There is still more to come from this. We may not see the end of it for the 
next 10 years.

But also to state bash 4.3.27 on 10-RELEASE-p9 reports as not vulnerable to the 
five known CVEs right now but that same shell compiled on a 9.1-RELEASE system 
is still vulnerable to the last two CVEs … That said this is deep just when you 
think you have it conquered.

On Sep 30, 2014, at 16:25, Charles Swiger <cswi...@mac.com> wrote:

> On Sep 30, 2014, at 12:46 PM, Bryan Drewery <bdrew...@freebsd.org> wrote:
> [ ... ]
>> I even saw a reddit post last night complaining that OSX had updated
>> bash only to leave it "still vulnerable" because of the redir_stack issue.
> 
> It doesn't seem to be?
> 
> bash-3.2$ bash --version
> GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
> Copyright (C) 2007 Free Software Foundation, Inc.
> 
> bash-3.2$ echo "Testing Exploit 4 (CVE-2014-7186)"
> Testing Exploit 4 (CVE-2014-7186)
> bash-3.2$ CVE7186="$(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF 
> <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null ||echo -n V)"
> bash-3.2$ [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT 
> VULNERABLE"
> NOT VULNERABLE
> 
> This being said, I'm not confident that there won't be further issues found 
> with bash....
> 
> Regards,
> -- 
> -Chuck
> 
> _______________________________________________
> freebsd-secur...@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

-- 
 Jason Hellenthal
 Mobile: +1 (616) 953-0176
 jhellent...@dataix.net
 JJH48-ARIN

_______________________________________________
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Reply via email to