Marc, I've just upgraded to 4.3.7-ubuntu1.2 in trusty
(https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.2) which I
assume was supposed to protect against the test case provided for
CVE-2014-7169. It doesn't appear to have done so. Confirmed that the
upgrade was successfully applied.
harry@mars:~ aptitude show bash | egrep '^Version'
Version: 4.3-7ubuntu1.2
harry@mars:~$ md5sum /bin/bash Downloads/bash_4.3-7ubuntu1.2_amd64/bin/bash
3c263963be49239e113a5794d54b732a /bin/bash
3c263963be49239e113a5794d54b732a Downloads/bash_4.3-7ubuntu1.2_amd64/bin/bash
harry@mars:~$ cat echo
cat: echo: No such file or directory
harry@mars:~$ env -i X='() { (a)=>\' bash -c 'echo date'
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
harry@mars:~$ cat echo
Fri Sep 26 00:38:09 BST 2014
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1373781
Title:
bash incomplete fix for CVE-2014-6271
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1373781/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
