X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:subject :references:in-reply-to:content-type; q=dns; s=default; b=iXr0ZO K55bj3AY43sv2wxtRLDg15bKJqgxoo0vHSRv6J3adi7yOphE0jh5e1ZrBeZBAlhm brhotZYs9wuar7QnnodnPcpgAtWD9AA71V+B2upnynB4gTtT7byKdwPZznycR1ua p3kweQY1T4oXx+8y1oQr6pZDzxD5W3v1nNs18= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:subject :references:in-reply-to:content-type; s=default; bh=k3F4rx3z9FJg bWTnbnZPrv8f9/0=; b=rg1QnSUlzVDp21uJQJ4VE81yrafIJCRHZie0FIEty+Bg pXOBuxwpiNg/9Wv9E0+vY+YM/iohQ3AH6CQaBVf7AhZMlJHU4vTdQt9y54GyMBD5 iCaiBIFUK/1W46YtyrneyB3QoO2nVP2YcoCKbmEQfpBXQ+y8F1IdzTUzWBzyT3M= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=ham version=3.3.2 X-HELO: mx1.redhat.com Message-ID: <542E24F9.4070409@redhat.com> Date: Thu, 02 Oct 2014 22:24:25 -0600 From: Eric Blake User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: The Cygwin Mailing List Subject: Re: Updated: bash-4.1.16-8 References: <542E1B8C DOT 7070807 AT byu DOT net> In-Reply-To: <542E1B8C.7070807@byu.net> OpenPGP: url=http://people.redhat.com/eblake/eblake.gpg Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="GP3p58cNKiDArloonNFIcLX0mQkqDIOej" X-IsSubscribed: yes --GP3p58cNKiDArloonNFIcLX0mQkqDIOej Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 10/02/2014 09:44 PM, Eric Blake (cygwin) wrote: > To avoid confusion, the following test unambiguously tests if you are > vulnerable to ShellShock: > $ env 'x=3D() { echo vulnerable; }' bash -c x >=20 > If it prints "x: command not found", your version of bash is safe and > not subject to remote exploits. If it prints "vulnerable", you need to > upgrade now. D'oh - it was pointed out to me that on systems where the X server is installed, the command 'x' might actually attempt to fire up an X server rather than reporting command not found. Don't worry - that's also a sign that you are NOT vulnerable (the attempt to define a function to mask out an existing command did not succeed). But it's better to write a probe that is less likely to conflict with a real command: $ env 'nosuch=3D() { echo vulnerable; }' bash -c nosuch --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --GP3p58cNKiDArloonNFIcLX0mQkqDIOej Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg iQEcBAEBCAAGBQJULiT5AAoJEKeha0olJ0NqXw4H/A0YYF0zwZ/F43Bj5VLTg+nP E0lZMR26ed4LPYWzsX3AwpbbtSZuu76JjPXalri65d9v3xEUuym0BqN6y39CZm6J XDoFwiji28hz9moSq1cEEBHYgbWQWtCZMjwpgHc5Oi5Wwh5S4v7cIBJMPLkQFm8d cIfbIiuZQ7O0lmyNvWaNxVWLa3JDyQt/7Mn97YeaHF00jd1sQQp3OAiH4rAqhRRx BRUkL5ujBs9mdiu1ttNUjSLcHnUNNFT5x667Z/utz/CRsF9Ff4/poQPitj2W6PC3 hSSPCWfp4wRlc2ZQZXfqTULNq6GEzIUmonn/0rQd2ey4zypZDEK/+SKQ6hEGBTY= =1Xqb -----END PGP SIGNATURE----- --GP3p58cNKiDArloonNFIcLX0mQkqDIOej--