touch-packages team mailing list archive

Thread
Date

[Bug 1373688] Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Mathew Hodson <mathew.hodson@xxxxxxxxx>
Date: Tue, 30 Sep 2014 13:44:32 -0000
Reply-to: Bug 1373688 <1373688@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 1373781 ***
    https://bugs.launchpad.net/bugs/1373781

** This bug has been marked a duplicate of bug 1373781
   bash incomplete fix for CVE-2014-6271

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-6271

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1373688

Title:
  Bash Code Injection Vulnerability via Specially Crafted Environment
  Variables

Status in “bash” package in Ubuntu:
  Fix Released

Bug description:
  Identified in RedHat and Debian

  https://www.debian.org/security/2014/dsa-3032

  From the RedHat advisory - https://access.redhat.com/articles/1200223

  "Diagnostic Steps

  To test if your version of Bash is vulnerable to this issue, run the
  following command:

  $ env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"

  If the output of the above command looks as follows:

  vulnerable
  this is a test"

  Confirmed on Ubuntu 14.04 LTS using Bash 4.3-7ubuntu1.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1373688/+subscriptions