Bug 898888 - Bash 4.2-68.8.1 update does not fix the function environment using env x='( ) { :;} - the {bashbug}
Bash 4.2-68.8.1 update does not fix the function environment using env x='( ...
Status: RESOLVED DUPLICATE of bug 898604
Classification: openSUSE
Product: openSUSE 13.1
Classification: openSUSE
Component: Basesystem
x86-64 openSUSE 13.1
: P0 - Crit Sit : Major (vote)
: Final
Assigned To: E-mail List
E-mail List
Depends on:
  Show dependency treegraph
Reported: 2014-09-29 01:25 UTC by Roman Bysh
Modified: 2014-09-30 01:17 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Roman Bysh 2014-09-29 01:25:40 UTC
I received a bash 4.2-68.8.1 update for openSUSE 13.1 on Friday Sept. 26, 2014 that was supposed address a command beginning with function environment that included { :;}
I issued the command that began with and included the function environment 
env x='() { :;} as shown in its totality below:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Using bash 4.2-68.1.5 that came with openSUSE 13.1 before update gave the result:

this is a test

With bash 4.2-68.8.1 update from Fri. 26, 2014 the result is:

this is a test

The correct result should be:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Comment 1 Marcus Meissner 2014-09-29 06:05:51 UTC
no, this is actually fine.

the patch we released on friday contains a hardening patch that not even looks at this variable anymore, so the error does not appear.

key is that the "vulnerable" is gone.

*** This bug has been marked as a duplicate of bug 898604 ***
Comment 2 Roman Bysh 2014-09-30 01:17:42 UTC

Thank you for your help. We can mark this as resolved. Yes.