root@ubuntu:~# env var='() { ignore this;}; echo vulnerable' bash -c
+/bin/true
vulnerable
root@ubuntu:~# aptitude install bash -s
The following packages will be upgraded:
bash
1 packages upgraded, 0 newly installed, 0 to remove and 4 not upgraded
+.
Need to get 641 kB of archives. After unpacking 0 B will be used.
Do you want to continue? [Y/n/?] y
Would download/install/remove packages.
root@ubuntu:~# aptitude install bash
The following packages will be upgraded:
bash
1 packages upgraded, 0 newly installed, 0 to remove and 4 not upgraded
+.
Need to get 641 kB of archives. After unpacking 0 B will be used.
Do you want to continue? [Y/n/?] y
Get: 1 http://de.archive.ubuntu.com/ubuntu/ precise-updates/main bash
+amd64 4.2-2ubuntu2.3 [641 kB]
Fetched 641 kB in 0s (729 kB/s)
(Reading database ... 80529 files and directories currently installed.
+)
Preparing to replace bash 4.2-2ubuntu2.1 (using .../bash_4.2-2ubuntu2.
+3_amd64.deb) ...
Unpacking replacement bash ...
Processing triggers for man-db ...
Setting up bash (4.2-2ubuntu2.3) ...
update-alternatives: using /usr/share/man/man7/bash-builtins.7.gz to p
+rovide /usr/share/man/man7/builtins.7.gz (builtins.7.gz) in auto mode
+.
Current status: 4 updates [-1].
root@ubuntu:~# env var='() { ignore this;}; echo vulnerable' bash -c
+/bin/true
bash: warning: var: ignoring function definition attempt
bash: error importing function definition for `var'
Update: FYI: Yesterday evening i tried this fix on Mac OS X Lion. Didn't work.
Regards, Karl
«The Crux of the Biscuit is the Apostrophe»
| 