Date: Mon, 29 Sep 2014 14:36:23 +0400 From: Kulesho <rndfax@yandex.ru> To: n j <nino80@gmail.com>, "freebsd-security@freebsd.org FreeBSD-security" <freebsd-security@freebsd.org> Subject: Re: Bash ShellShock bug(s) Message-ID: <2709351411986983@web15m.yandex.ru> In-Reply-To: <CALf6cgb_HQXMUFo108RiEiKu0wV2F9bircH1DYwEB4=VjtXShw@mail.gmail.com> References: <2423691411974542@web12j.yandex.ru> <B5F07349-45ED-4B38-892A-2F7F4A25C085@patpro.net> <1771201411976082@web22o.yandex.ru> <7B489747-0FF8-4081-A001-7A510C3C6FA1@patpro.net> <CALf6cgb_HQXMUFo108RiEiKu0wV2F9bircH1DYwEB4=VjtXShw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you for explanation! Now I can sleep calmly.
29.09.2014, 13:27, "n j" <nino80@gmail.com>:
> Hi,
>
> On Mon, Sep 29, 2014 at 9:55 AM, Patrick Proniewski <patpro@patpro.net>
> wrote:
>> šOn 29 sept. 2014, at 09:34, ëŐĚĹŰĎ× áĚĹËÓĹĘ <rndfax@yandex.ru> wrote:
>>> šRight. Okay then, here it is:
>>>
>>> š# pkg remove bash
>>> š... change 'bash' to 'sh' in bashcheck ...
>>> š# sh bashcheck
>>> šNot vulnerable to CVE-2014-6271 (original shellshock)
>>> šNot vulnerable to CVE-2014-7169 (taviso bug)
>>> šNot vulnerable to CVE-2014-7186 (redir_stack bug)
>>> šVulnerable to CVE-2014-7187 (nessted loops off by one)
>>> šVariable function parser inactive, likely safe from unknown parser bugs
>>>
>>> šSo, there is no bash on my system anymore, but script says it has one
>> švulnerability.
>>> šIs it actually vulnerability or it's me who must take a good sleep? :)
>> šThis is odd. As far as I know, no one reported sh as being vulnerable to
>> šCVE-2014-7187. But may be it's only on FreeBSD... I don't have an answer to
>> šthat.
>
> I'd say the test is not relevant for sh. The line that tests for
> CVE-2014-7187 uses {1..200} construct which is not understood by sh.
>
> E.g.
> sh$ for i in {1..5}; do echo -n š$i; done
> {1..5}
> bash$ for i in {1..5}; do echo -n $i; done
> 12345
>
> Br,
> --
> Nino
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2709351411986983>