X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type; q=dns; s=default; b=iXr0ZO
	K55bj3AY43sv2wxtRLDg15bKJqgxoo0vHSRv6J3adi7yOphE0jh5e1ZrBeZBAlhm
	brhotZYs9wuar7QnnodnPcpgAtWD9AA71V+B2upnynB4gTtT7byKdwPZznycR1ua
	p3kweQY1T4oXx+8y1oQr6pZDzxD5W3v1nNs18=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type; s=default; bh=k3F4rx3z9FJg
	bWTnbnZPrv8f9/0=; b=rg1QnSUlzVDp21uJQJ4VE81yrafIJCRHZie0FIEty+Bg
	pXOBuxwpiNg/9Wv9E0+vY+YM/iohQ3AH6CQaBVf7AhZMlJHU4vTdQt9y54GyMBD5
	iCaiBIFUK/1W46YtyrneyB3QoO2nVP2YcoCKbmEQfpBXQ+y8F1IdzTUzWBzyT3M=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-2.6 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=ham version=3.3.2
X-HELO:	mx1.redhat.com
Message-ID:	<542E24F9.4070409@redhat.com>
Date:	Thu, 02 Oct 2014 22:24:25 -0600
From:	Eric Blake <eblake AT redhat DOT com>
User-Agent:	Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version:	1.0
To:	The Cygwin Mailing List <cygwin AT cygwin DOT com>
Subject:	Re: Updated: bash-4.1.16-8
References:	<542E1B8C DOT 7070807 AT byu DOT net>
In-Reply-To:	<542E1B8C.7070807@byu.net>
OpenPGP:	url=http://people.redhat.com/eblake/eblake.gpg
X-IsSubscribed:	yes

--GP3p58cNKiDArloonNFIcLX0mQkqDIOej
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 10/02/2014 09:44 PM, Eric Blake (cygwin) wrote:

> To avoid confusion, the following test unambiguously tests if you are
> vulnerable to ShellShock:
> $ env 'x=3D() { echo vulnerable; }' bash -c x
>=20
> If it prints "x: command not found", your version of bash is safe and
> not subject to remote exploits.  If it prints "vulnerable", you need to
> upgrade now.

D'oh - it was pointed out to me that on systems where the X server is
installed, the command 'x' might actually attempt to fire up an X server
rather than reporting command not found.  Don't worry - that's also a
sign that you are NOT vulnerable (the attempt to define a function to
mask out an existing command did not succeed).

But it's better to write a probe that is less likely to conflict with a
real command:

$ env 'nosuch=3D() { echo vulnerable; }' bash -c nosuch


--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org




--GP3p58cNKiDArloonNFIcLX0mQkqDIOej
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg

iQEcBAEBCAAGBQJULiT5AAoJEKeha0olJ0NqXw4H/A0YYF0zwZ/F43Bj5VLTg+nP
E0lZMR26ed4LPYWzsX3AwpbbtSZuu76JjPXalri65d9v3xEUuym0BqN6y39CZm6J
XDoFwiji28hz9moSq1cEEBHYgbWQWtCZMjwpgHc5Oi5Wwh5S4v7cIBJMPLkQFm8d
cIfbIiuZQ7O0lmyNvWaNxVWLa3JDyQt/7Mn97YeaHF00jd1sQQp3OAiH4rAqhRRx
BRUkL5ujBs9mdiu1ttNUjSLcHnUNNFT5x667Z/utz/CRsF9Ff4/poQPitj2W6PC3
hSSPCWfp4wRlc2ZQZXfqTULNq6GEzIUmonn/0rQd2ey4zypZDEK/+SKQ6hEGBTY=
=1Xqb
-----END PGP SIGNATURE-----

--GP3p58cNKiDArloonNFIcLX0mQkqDIOej--

- Raw text -