[MacPorts] #45162: Bash still vulnerable
MacPorts
noreply at macports.org
Thu Sep 25 23:06:22 PDT 2014
#45162: Bash still vulnerable
-----------------------+--------------------------------
Reporter: kost.hc@… | Owner: macports-tickets@…
Type: defect | Status: new
Priority: High | Milestone:
Component: ports | Version: 2.3.1
Keywords: | Port: bash
-----------------------+--------------------------------
Bash is still vulnerable to the shellshock bash:
{{{
$ sudo port selfupdate
Password:
---> Updating MacPorts base sources using rsync
MacPorts base version 2.3.1 installed,
MacPorts base version 2.3.1 downloaded.
---> Updating the ports tree
---> MacPorts base is already the latest version
The ports tree has been updated. To upgrade your installed ports, you
should run
port upgrade outdated
}}}
{{{
$ sudo port install bash
---> Computing dependencies for bash
---> Cleaning bash
---> Scanning binaries for linking errors
---> No broken files found.
}}}
{{{
$ bash --version
GNU bash, version 4.3.25(1)-release (x86_64-apple-darwin13.2.0)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
}}}
It is not vulnerable to this:
{{{
$ env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
/bin/sh: warning: X: ignoring function definition attempt
/bin/sh: error importing function definition for `X'
stuff
}}}
But still vulnerable to this:
{{{
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Fri Sep 26 00:48:31 CEST 2014
}}}
If you need more info, check this URL:
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
--
Ticket URL: <https://trac.macports.org/ticket/45162>
MacPorts <http://www.macports.org/>
Ports system for OS X
More information about the macports-tickets
mailing list