From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 22:08:05 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from hammer.pct.niksun.com (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by hub.freebsd.org (Postfix) with ESMTP id 8D7345A5; Tue, 30 Sep 2014 22:08:02 +0000 (UTC) Message-ID: <542B29C1.7010505@FreeBSD.org> Date: Tue, 30 Sep 2014 18:08:01 -0400 From: Jung-uk Kim User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Mike Tancsa , Charles Swiger , Bryan Drewery Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> <542B087D.3040903@FreeBSD.org> <542B27FF.10204@sentex.net> In-Reply-To: <542B27FF.10204@sentex.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Cc: freebsd-security , freebsd-ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2014 22:08:05 -0000 On 2014-09-30 18:00:31 -0400, Mike Tancsa wrote: > On 9/30/2014 5:25 PM, Charles Swiger wrote: >> bash-3.2$ echo "Testing Exploit 4 (CVE-2014-7186)" >> Testing Exploit 4 (CVE-2014-7186) >> bash-3.2$ CVE7186="$(bash -c 'true <> </dev/null ||echo -n >> V)" >> bash-3.2$ [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT >> VULNERABLE" >> NOT VULNERABLE >> >> This being said, I'm not confident that there won't be further issues >> found with bash.... >> > > What are people using to check these issues ? I was using > > https://github.com/hannob/bashcheck > > Not sure if that gives false positives ? ... Yes, it seems it does. https://github.com/hannob/bashcheck/commit/5b611b36 Jung-uk Kim