On 9/27/14, 1:59 AM, Nemo wrote: > On 26 September 2014 19:44, Saso Kiselkov <skiselkov...@gmail.com> wrote: >> On 9/27/14, 1:41 AM, Nemo wrote: > [...] >>> Whence does the OI bash source originate? On the bash that comes with >>> Solaris 10, the vulnerability is not present: >>> >>> [~]=> bash --version >>> GNU bash, version 3.00.16(1)-release (sparc-sun-solaris2.10) >>> Copyright (C) 2004 Free Software Foundation, Inc. >>> [~]=> env X="() { :;} ; echo busted" /bin/sh -c "echo completed" >>> completed >> >> In general, bash != /bin/sh on either Solaris or Illumos-derived >> systems. Rerun the env test with bash instead of /bin/sh. > > [~]=> echo $SHELL > /bin/bash > [~]=> env X="() { :;} ; echo busted" /bin/sh -c "echo completed" > completed > > Note that I put bash into /bin to avoid GNUisms.
The invoking shell is irrelevant. Here's your problem: vvvvvvv env X="() { :;} ; echo busted" /bin/sh -c "echo completed" ^^^^^^^ Put bash in there and you'll get a vulnerable "busted" result. -- Saso _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss