Bugzilla – Bug 898888
Bash 4.2-68.8.1 update does not fix the function environment using env x='( ) { :;} - the {bashbug}
Last modified: 2014-09-30 01:17:42 UTC
I received a bash 4.2-68.8.1 update for openSUSE 13.1 on Friday Sept. 26, 2014 that was supposed address a command beginning with function environment that included { :;} I issued the command that began with and included the function environment env x='() { :;} as shown in its totality below: env x='() { :;}; echo vulnerable' bash -c "echo this is a test" Using bash 4.2-68.1.5 that came with openSUSE 13.1 before update gave the result: vulnerable this is a test With bash 4.2-68.8.1 update from Fri. 26, 2014 the result is: this is a test The correct result should be: bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
no, this is actually fine. the patch we released on friday contains a hardening patch that not even looks at this variable anymore, so the error does not appear. key is that the "vulnerable" is gone. *** This bug has been marked as a duplicate of bug 898604 ***
Marcus Thank you for your help. We can mark this as resolved. Yes.