[SATLUG] bash "word_lineno" vulnerability (CVE-2014-7187)

Bruce Dubbs bruce.dubbs at gmail.com
Mon Oct 6 12:59:15 CDT 2014


David Salisbury wrote:
> I've got an old bash version (2.05b) which has been fully patched up to
> the latest patch, bash205b-013 (released yesterday, Oct 5th, 2014), but
> it still seems vulnerable to the CVE-2014-7187 vulnerability, aka the
> "word_lineno" vulnerability.  The one-liner to test it, per several
> security web sites and the Shellshock entry on Wikipedia, is:
>
> (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in
> {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187
> vulnerable, word_lineno"
>
> If vulnerable, then the line at the end is printed out.  From what I've
> read, the word_lineno issue should have been fixed a couple of patches
> ago, and the "patched-up-to-013" version of bash I'm using successfully
> passes the 5 other vulnerability tests (CVE-2014-6271, CVE-2014-7169,
> CVE-2014-7186, CVE-2014-6277, CVE-2014-6278) with no problem.  I'm
> starting to wonder if this one-liner is actually accurate?!
>
> The error I get when running it is:
> bash: line 2: `x{1..200}': not a valid identifier
>
> And then it prints the "CVE-2014-7187 vulnerable, word_lineno" line. And
> it has exhibited this same behavior with at least the last two patches
> before.  It almost seems to me like it's just cratering on a syntax
> error, and that's why it's printing the right side of the "or". Any
> thoughts?

Since bash-2.05b was released 17-Jul-2002, don't you think it's time for 
an upgrade?  Why not just go to bash-4.3?

   -- Bruce





More information about the SATLUG mailing list