[SATLUG] bash "word_lineno" vulnerability (CVE-2014-7187)

David Salisbury david.salisbury at momentumweb.com
Mon Oct 6 12:36:41 CDT 2014

I've got an old bash version (2.05b) which has been fully patched up to 
the latest patch, bash205b-013 (released yesterday, Oct 5th, 2014), but 
it still seems vulnerable to the CVE-2014-7187 vulnerability, aka the 
"word_lineno" vulnerability.  The one-liner to test it, per several 
security web sites and the Shellshock entry on Wikipedia, is:

(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in 
{1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 
vulnerable, word_lineno"

If vulnerable, then the line at the end is printed out.  From what I've 
read, the word_lineno issue should have been fixed a couple of patches 
ago, and the "patched-up-to-013" version of bash I'm using successfully 
passes the 5 other vulnerability tests (CVE-2014-6271, CVE-2014-7169, 
CVE-2014-7186, CVE-2014-6277, CVE-2014-6278) with no problem.  I'm 
starting to wonder if this one-liner is actually accurate?!

The error I get when running it is:
bash: line 2: `x{1..200}': not a valid identifier

And then it prints the "CVE-2014-7187 vulnerable, word_lineno" line.  
And it has exhibited this same behavior with at least the last two 
patches before.  It almost seems to me like it's just cratering on a 
syntax error, and that's why it's printing the right side of the "or".  
Any thoughts?

More information about the SATLUG mailing list