Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 5 Oct 2014 18:02:16 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code

On Sun, Oct 05, 2014 at 04:38:15AM -0700, Jose R R wrote:
> Hanno,
> 
> < https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >
> 
> I've downloaded your bash test script and executed it against a Debian
> 7 (Wheezy) -patched system (upper image)
> 
> as well as a local Debian Sid (unstable) build of bash where I applied
> the October 02, 2014, bash43-029 (Bottom image)
> 
> < https://pbs.twimg.com/media/BzLfeIICQAA30vb.png:large >

This shows that your two systems are not vulnerable.

A "vulnerable but non-exploitable" condition doesn't actually exist.
It only means there's a non-security bug that would have been a security
bug under different circumstances (which is why it got a CVE ID).

> Thus agreeing with Sona:

This shows the widespread confusion.

> "but I think what most (non-expert) people
> need is an explanation for each CVE, a set of test case from some
> reliable source (preferably a script that runs all test cases and
> shows vulnerable/not-vulnerable status) and a set of patches. So that
> they can apply the patches, run the tests and assert that their
> systems are not vulnerable to shellshock anymore."

You only need the one-liner test from my reply to Sona:

http://www.openwall.com/lists/oss-security/2014/10/05/7

testfunc='() { echo bad; }' bash -c testfunc

(Besides, tests for some of those CVEs can't be made reliable anyway.)

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.