This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: cygwin bash and Shellshock / CVE-2014-6271 & CVE-2014-7169

From: Marco Atzeri <marco dot atzeri at gmail dot com>
To: cygwin at cygwin dot com
Date: Fri, 26 Sep 2014 22:06:06 +0200
Subject: Re: cygwin bash and Shellshock / CVE-2014-6271 & CVE-2014-7169
Authentication-results: sourceware.org; auth=none
References: <000001cfd9c0$c599c150$50cd43f0$ at belarc dot com>



On 26/09/2014 21:33, Richard DeFuria wrote:

Hello,

I downloaded the latest setup and installed the latest packages on my Win8.1
x64 box.

It seems as though my cygwin bash shell has been patched against
CVE-2014-6271 as per:
	$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
	bash: warning: x: ignoring function definition attempt
	bash: error importing function definition for `x'
	this is a test

However, it is still susceptible to CVE-2014-7169 as per:
	$ env X='() { (a)=>\' sh -c "echo date"; cat echo
	sh: X: line 1: syntax error near unexpected token `='
	sh: X: line 1: `'
	sh: error importing function definition for `X'
	Fri, Sep 26, 2014  3:23:15 PM

That is, the 'original' Shellshock vulnerability is fixed, but not the 'new'
Shellshock vulnerability.

Is this correct?


https://cygwin.com/ml/cygwin/2014-09/msg00400.html
`

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

References:
- cygwin bash and Shellshock / CVE-2014-6271 & CVE-2014-7169
  - From: Richard DeFuria

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]