Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 5 Oct 2014 18:02:16 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code

On Sun, Oct 05, 2014 at 04:38:15AM -0700, Jose R R wrote:
> Hanno,
> 
> < https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >
> 
> I've downloaded your bash test script and executed it against a Debian
> 7 (Wheezy) -patched system (upper image)
> 
> as well as a local Debian Sid (unstable) build of bash where I applied
> the October 02, 2014, bash43-029 (Bottom image)
> 
> < https://pbs.twimg.com/media/BzLfeIICQAA30vb.png:large >

This shows that your two systems are not vulnerable.

A "vulnerable but non-exploitable" condition doesn't actually exist.
It only means there's a non-security bug that would have been a security
bug under different circumstances (which is why it got a CVE ID).

> Thus agreeing with Sona:

This shows the widespread confusion.

> "but I think what most (non-expert) people
> need is an explanation for each CVE, a set of test case from some
> reliable source (preferably a script that runs all test cases and
> shows vulnerable/not-vulnerable status) and a set of patches. So that
> they can apply the patches, run the tests and assert that their
> systems are not vulnerable to shellshock anymore."

You only need the one-liner test from my reply to Sona:

http://www.openwall.com/lists/oss-security/2014/10/05/7

testfunc='() { echo bad; }' bash -c testfunc

(Besides, tests for some of those CVEs can't be made reliable anyway.)

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ