Ars reports that a new bug has been found in GNU Bash allows remote attackers to execute arbitrary code by setting the process trailing strings after function definitions in the values of environment variables.
This bug is reported to be present in RHEL (ver 4 through 7), Fedora, CentOS (ver 5 through 7), Ubuntu (ver 10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian, and even OS X Mavericks.
This bug is exploitable through Apache servers with mod_cgi and mod_cgid loaded, OpenSSH, malicious DHCP servers in a compromised wireless access point through dhclient, as well as the CUPS printing system.
The Ars also includes a simple single liner that will test your setup for the newly found discovery:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
A vulnerable system will output the following:
vulnerable
this is a test
While a patched or unaffected system outputs:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
A patch is already out, so administrators are advised to update Bash.
Editor's Update: Security Engineer Tavis Ormandy has said "The bash patch seems incomplete to me, function parsing is still brittle".
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
(Score: 0) by Anonymous Coward on Thursday September 25 2014, @05:03AM
I don't think anybody was ever under the impression that Bash was a bastion of security. War tested as much as anything common- sure, but there were no illusions about it's level of complexity adding to threat surfaces.
As for Debuntu- from my understanding, only users who opt for a default desktop configuration in the next major release will see this. I think you ought to take a step back from your rhetoric that makes it sound like everyone is being forced to use systemd. There are a million linux distros out there, not to mention plenty of Debuntu users interested in holding off on systemd for various amounts of time. This isn't like the government mandating a kill switch in phones that users can't opt out of. There is plenty of choice for everyone of our opinion that systemd could use more settling before the levels of adoption that it currently seems to enjoy. Of course, bash bugs like this don't really help systemd's case in that argument IMO. I.e. an init system relying on bash now looks a notch less attractive due to this bug. Which only increases the relative stature of systemd through no aspect of its self.
(Score: 2) by MrNemesis on Thursday September 25 2014, @11:56AM
I did a bare-minimum install from the latest jessie netinstall image the other day and systemd is now in there as default init regardless of whether you choose to install an X server or any DE (and you can't apt-pin it away on a new install like I have on my existing systems).
IIRC, init scripts on debian have been using /bin/dash as default /bin/sh for quite some time because it's faster and lighter weight than bash.
"To paraphrase Nietzsche, I have looked into the abyss and been sick in it."