Note : CentOS Fix for CVE-2014-7169
Redhat announced that the fix for CVE-2014-6271 is incomplete and reporting new one CVE-2014-7169 .
As per the latest update they are working to patch this against CVE-2014-7169.
People are able to recreate the bug like the following
/]$ rpm -qa | grep bash
bash-4.1.2-15.el6_5.1.x86_64 ( patched version )
~]$ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test
/]$ env X='() { (a)= >\’ bash -c “echo date”; cat echo
bash: X: line 0: syntax error near unexpected token `=’
bash: X: line 0: `X () { (a)= >\’
bash: error importing function definition for `X’
date
cat: echo: No such file or directory
/]$ env X='() { (a)=>\’ bash -c “echo echo vuln”; [[ “$(cat echo)” == “vuln” ]] && echo “still vulnerable :(“
bash: X: line 1: syntax error near unexpected token `=’
bash: X: line 1: `’
bash: error importing function definition for `X’
bash: echo: Permission denied
cat: echo: No such file or directory
Waiting for the patch from Redhat .
Referrence : –
https://access.redhat.com/security/cve/CVE-2014-7169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
Recent Comments