トップ «前の日記(2014年08月09日) 最新 次の日記(2014年09月27日)» 編集

Masa's blog

検索キーワード:

2014年09月26日 CVE-2014-6271: remote code execution through bash [長年日記]

_ CVE-2014-6271: remote code execution through bash

BASH PATCH REPORT bash43-025

Before version up

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

OMG!

Let's do version up to bash-4.3.25 on Slackware.

$ tar xvvf bash-4.3.tar.gz
$ tar xvvf bash-4.3-patches.tar.gz
$ cd bash-4.3
$ cat ../bash-4.3-patches/bash43* | patch -p0
$ ./configure --prefix=/usr --mandir=/usr/man --infodir=/usr/info
$ make
# make install-strip

# cd /usr/bin
# mv bashbug bashbug.REMOVED && chmod -x bashbug.REMOVED
# mv bash /bin/bash.new
# ln -sf /bin/bash .

# cd /bin
# mv bash bash.old
# mv bash.new bash
# mv bash.old bash.old.REMOVED && chmod -x bash.old.REMOVED

After version up

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

But CVE-2014-7169 is not fixed yet :(