bash 4.3.24_0 critical security update

[hahn.seb@…]

CVE-2014-6271 is a critical vulnerability in bash. Attached patch applies the fix.

[mf2k (Frank Schima)]

In the future, please Cc the port maintainers (port info --maintainers bash).

[raimue (Rainer Müller)]

Thanks for the heads-up. Fixed in r125719.

[johndouthat@…]

After installing 4.3.25 from MacPorts, bash still seems to be vulnerable

~ $ echo $BASH_VERSION
4.3.25(1)-release
~ $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

I expected to see something like this: (from a patched Ubuntu 12.04 machine)

~$  echo $BASH_VERSION
4.2.25(1)-release
~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

[hahn.seb@…]

Sorry about forgetting to CC the maintainer.

Fun, for me the exploit doesn't work anymore.

[ ~]$ echo $BASH_VERSION
4.3.25(1)-release
[ ~]$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

[johndouthat@…]

My mistake! I was running the wrong version of bash. Sincerest apologies.

~ $ env x='() { :;}; echo vulnerable' /opt/local/bin/bash -c "echo this is a test"
/opt/local/bin/bash: warning: x: ignoring function definition attempt
/opt/local/bin/bash: error importing function definition for `x'
this is a test

[cooljeanius (Eric Gallager)]

Cc Me!