From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 09:26:55 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CDB98A0D for ; Mon, 29 Sep 2014 09:26:55 +0000 (UTC) Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9791EBC3 for ; Mon, 29 Sep 2014 09:26:55 +0000 (UTC) Received: by mail-oi0-f45.google.com with SMTP id i138so4262122oig.18 for ; Mon, 29 Sep 2014 02:26:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=98DEVeVL6U2vgszMc+WEOvYV9BPRoeSu9Lyj5Vf3xDQ=; b=iQccwu7BbfEHaXpDZeOsOtStH/3OQi7gdCi50oklVpRkgjHjHngJhUJ5pw5GMvdFpF VAKiBk28+SRxeU3xK+hQ0TNe/PoiuJf6wDneCxapa6uRK174wUku9ki4wEcNDdvJJJI0 x0hGZjnZI0Nyez0ovn64RzdHjymQ+i/kvASrzWCJRjNEgZP7UMR2nRw2kuQy7uR0LBJP 1vZJBcKYu/mP77J7SEAZt7EJNAQOKdMJEvA52uRkmr4eUsb+XKPKUPXpdvSuM1wVGOPY uT39CepJhCI86KwVM5XktYkrBJSlKgpBlmmcN7bk5bGxNHndNRqk2olZppvWIQlFBHkv N6MQ== X-Received: by 10.182.24.101 with SMTP id t5mr37464729obf.31.1411982814768; Mon, 29 Sep 2014 02:26:54 -0700 (PDT) MIME-Version: 1.0 Received: by 10.76.132.98 with HTTP; Mon, 29 Sep 2014 02:26:34 -0700 (PDT) In-Reply-To: <7B489747-0FF8-4081-A001-7A510C3C6FA1@patpro.net> References: <2423691411974542@web12j.yandex.ru> <1771201411976082@web22o.yandex.ru> <7B489747-0FF8-4081-A001-7A510C3C6FA1@patpro.net> From: n j Date: Mon, 29 Sep 2014 11:26:34 +0200 Message-ID: Subject: Re: Bash ShellShock bug(s) To: "freebsd-security@freebsd.org FreeBSD-security" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2014 09:26:55 -0000 Hi, On Mon, Sep 29, 2014 at 9:55 AM, Patrick Proniewski wrote: > > On 29 sept. 2014, at 09:34, =D0=9A=D1=83=D0=BB=D0=B5=D1=88=D0=BE=D0=B2 = =D0=90=D0=BB=D0=B5=D0=BA=D1=81=D0=B5=D0=B9 wrote: > > > Right. Okay then, here it is: > > > > # pkg remove bash > > ... change 'bash' to 'sh' in bashcheck ... > > # sh bashcheck > > Not vulnerable to CVE-2014-6271 (original shellshock) > > Not vulnerable to CVE-2014-7169 (taviso bug) > > Not vulnerable to CVE-2014-7186 (redir_stack bug) > > Vulnerable to CVE-2014-7187 (nessted loops off by one) > > Variable function parser inactive, likely safe from unknown parser bugs > > > > So, there is no bash on my system anymore, but script says it has one > vulnerability. > > Is it actually vulnerability or it's me who must take a good sleep? :) > > This is odd. As far as I know, no one reported sh as being vulnerable to > CVE-2014-7187. But may be it's only on FreeBSD... I don't have an answer = to > that. > I'd say the test is not relevant for sh. The line that tests for CVE-2014-7187 uses {1..200} construct which is not understood by sh. E.g. sh$ for i in {1..5}; do echo -n $i; done {1..5} bash$ for i in {1..5}; do echo -n $i; done 12345 Br, --=20 Nino