← Back to team overview

touch-packages team mailing list archive

[Bug 1373781] Re: bash incomplete fix for CVE-2014-6271

 

@Marc

its only a feedback, and i only see that warning.
if you think its ok, i'm ok too (no skill on my side for commenting)

as i've reported an other bug about that 'warning' thing, i'm closing it
too.

Thanks for the answer

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1373781

Title:
  bash incomplete fix for CVE-2014-6271

Status in “bash” package in Ubuntu:
  Fix Released
Status in “bash” source package in Lucid:
  Fix Released
Status in “bash” source package in Precise:
  Fix Released
Status in “bash” source package in Trusty:
  Fix Released
Status in “bash” source package in Utopic:
  Fix Released

Bug description:
  The fixes for CVE-2014-6271 do NOT work! Security vuln, but should be
  public, this is known already.

  Ubuntu 14.04 LTS: bash 4.3-7ubuntu1.1
  Ubuntu 12.04 LTS: bash 4.2-2ubuntu2.2
  Ubuntu 10.04 LTS: bash 4.1-2ubuntu3.1

  Testcase:
  rm -f echo && env -i  X='() { (a)=>\' bash -c 'echo id'; cat echo

  expected output:
  bash: X: line 1: syntax error near unexpected token `='
  bash: X: line 1: `'
  bash: error importing function definition for `X'
  id

  actual output:
  bash: X: line 1: syntax error near unexpected token `='
  bash: X: line 1: `'
  bash: error importing function definition for `X'
  uid=0(root) gid=0(root) groups=0(root)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1373781/+subscriptions