[SATLUG] bash "word_lineno" vulnerability (CVE-2014-7187)

Bruce Dubbs bruce.dubbs at gmail.com
Thu Oct 16 15:33:26 CDT 2014


David Salisbury wrote:
> OK, just a follow-up for anyone who is interested -- with the help of a
> friend I've figured out why the test for this vulnerability wasn't
> working correctly on a fully-patched but older (2.05b) version of bash.
> As a reminder, it was failing on what just seemed to be a syntax error,
> not something vulnerability-related.  For reference, here's the test again:
>
> (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in
> {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187
> vulnerable, word_lineno"
>
> A friend of mine pointed out that the "{x..n}" syntax wasn't introduced
> into bash until v3+ (which I found documentation for here:
> http://tldp.org/LDP/abs/html/bashver3.html), so that's why the test was
> consistently failing even though bash was fully patched. If one were to
> take the test above, and instead of using the {1..200} syntax, just put
> "for x in 1 2 3 4 5...", etc., all the way to 200, the test works as it
> is supposed to even back in bash 2.05b.

You can also use

for x in $(seq 5); do echo $x; done

   -- Bruce


More information about the SATLUG mailing list