[Info-vax] And now bash has a vulnerability

[RobertsonEricW]

On Thursday, September 25, 2014 8:08:13 AM UTC-4, hb wrote:
> On 09/25/2014 01:32 PM, RobertsonEricW wrote:
> > Thanks for posting this information! OpenVMS bash is currently built using
> Bash 4.3.24. I am assuming that this contains the incomplete fix. But I will
> keep an eye out for any information on the Bash development site.
> 
> What is 'OpenVMS bash'? No (incomplete) fix in that version:
> 

Sorry about that. I was typing in a hurry because I had to leave with my son to drop him off at school this morning. I should have said "GNV Bash for OpenVMS is built using the bash source archive snapshot of 4.3.24"

> $ mcr gnv$gnu:[bin]bash -version
> 
> GNU bash, version 4.3.24(0)-release (alpha-dec-vms)
> 
> Copyright (C) 2013 Free Software Foundation, Inc.
> 
> License GPLv3+: GNU GPL version 3 or later
> 
> <http://gnu.org/licenses/gpl.html>
> 
> 
> 
> This is free software; you are free to change and redistribute it.
> 
> There is NO WARRANTY, to the extent permitted by law.
> 
> PACKAGE GNV-3.0-1-EWR-1 ECO 0 Sep  4 2014 19:53:47 VMS 80300022 HP/DECC
> 
> 70390010
> 
> $
> 
> $ mcr gnv$gnu:[bin]bash -c "env x='() { :;}; echo vulnerable' /bin/bash
> 
> -c ""echo this is a test"""
> 
> vulnerable
> 
> this is a test
> 
> $
> 
> $ mcr gnv$gnu:[bin]bash -c "env X='() { (a)=>\' /bin/bash -c ""echo
> 
> date""; /bin/cat echo"
> 
> /bin/bash: X: line 1: syntax error near unexpected token `='
> 
> /bin/bash: X: line 1: `'
> 
> /bin/bash: error importing function definition for `X'
> 
> Thu Sep 25 07:57:11 EDT 2014
> 
> $
> 
> $ type echo.
> 
> Thu Sep 25 07:57:11 EDT 2014
> 
> $
> 
> 
> 
> This version is vulnerable, but is there anybody using gnv/bash based
> 
> CGI code etc. in any (web) service on OpenVMS?

Thanks. Once I got back home from dropping off my son at school, I did the same thing you did and got the same results that you did indicating that GNU Bash 4.3.24 does not have any fix (partial or otherwise) regarding this bug.