[SATLUG] bash "word_lineno" vulnerability (CVE-2014-7187)

David Salisbury david.salisbury at momentumweb.com
Thu Oct 16 15:07:43 CDT 2014


OK, just a follow-up for anyone who is interested -- with the help of a 
friend I've figured out why the test for this vulnerability wasn't 
working correctly on a fully-patched but older (2.05b) version of bash.  
As a reminder, it was failing on what just seemed to be a syntax error, 
not something vulnerability-related.  For reference, here's the test again:

(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in 
{1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 
vulnerable, word_lineno"

A friend of mine pointed out that the "{x..n}" syntax wasn't introduced 
into bash until v3+ (which I found documentation for here: 
http://tldp.org/LDP/abs/html/bashver3.html), so that's why the test was 
consistently failing even though bash was fully patched. If one were to 
take the test above, and instead of using the {1..200} syntax, just put 
"for x in 1 2 3 4 5...", etc., all the way to 200, the test works as it 
is supposed to even back in bash 2.05b.

Anyway, thanks to my friend for helping me figure this out, and 
hopefully someone else finds it interesting/useful! :)
-David



More information about the SATLUG mailing list