Ars reports that a new bug has been found in GNU Bash allows remote attackers to execute arbitrary code by setting the process trailing strings after function definitions in the values of environment variables.
This bug is reported to be present in RHEL (ver 4 through 7), Fedora, CentOS (ver 5 through 7), Ubuntu (ver 10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian, and even OS X Mavericks.
This bug is exploitable through Apache servers with mod_cgi and mod_cgid loaded, OpenSSH, malicious DHCP servers in a compromised wireless access point through dhclient, as well as the CUPS printing system.
The Ars also includes a simple single liner that will test your setup for the newly found discovery:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
A vulnerable system will output the following:
vulnerable
this is a test
While a patched or unaffected system outputs:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
A patch is already out, so administrators are advised to update Bash.
Editor's Update: Security Engineer Tavis Ormandy has said "The bash patch seems incomplete to me, function parsing is still brittle".
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
(Score: 2, Interesting) by Anonymous Coward on Thursday September 25 2014, @02:18AM
This is off-topic but I have a suggestion I want to make, and I refuse to use GitHub: There should be a button so that we can easily view all comments. It does the same as setting both dropdowns to -1, and clicking Change.
(Score: 1, Informative) by Anonymous Coward on Thursday September 25 2014, @03:43AM
this is one reason I also read PipeDot, because you can read entire discussions without clicking anything.
(Score: 2) by tangomargarine on Thursday September 25 2014, @02:46PM
Mostly because there are no comments on the articles
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by DeathMonkey on Thursday September 25 2014, @05:39PM
this is one reason I also read PipeDot, because you can read entire discussions without clicking anything.
Use the 'Nested' option at the top of the thread to see the whole discussion without clicking anything. I set this up in my profile to be default.
(Score: 0) by Anonymous Coward on Thursday September 25 2014, @10:36PM
A lot of us refuse to use profiles because signing up for yet another website is a stupid thing to do, even if it's our dear SoylentNews. This is an option that should be available to anyone, regardless of account status, or made easily accessible though a button.
(Score: 0) by Anonymous Coward on Thursday September 25 2014, @07:00AM
Every single time I read comments here I first set the threshold to -1 and the view to nested and then punch change. Gets kinda irksome, agreed.
(Score: 3, Informative) by zafiro17 on Thursday September 25 2014, @12:01PM
For what it's worth, the little plus and minus buttons here are useful, but are damned-near impossible to click on a tablet or phone UI.
Dad always thought laughter was the best medicine, which I guess is why several of us died of tuberculosis - Jack Handey
(Score: 0) by Anonymous Coward on Thursday September 25 2014, @08:51PM
I only browse this site on a phone, and I didn't even see them until you pointed them out!