Bug 900127 - CVE-2014-6277 Vulnerable with latest version of bash in openSUSE 13.1 and SLES 11 SP3
CVE-2014-6277 Vulnerable with latest version of bash in openSUSE 13.1 and SLE...
Classification: openSUSE
Product: openSUSE 13.1
Classification: openSUSE
Component: Security
Other Other
: P5 - None : Critical (vote)
: ---
Assigned To: Security Team bot
E-mail List
Depends on:
  Show dependency treegraph
Reported: 2014-10-07 18:29 UTC by Ben Kevan
Modified: 2016-04-27 21:04 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Ben Kevan 2014-10-07 18:29:49 UTC
Using the following: 

bash -c "() { x() { _; }; x() { _; } <<`cat /etc/passwd >/tmp/passwd`; }" bash -c :

I can cat /etc/passwd to /tmp/passwd showing that the version of bash shipping with SLES 11 SP3 and openSUSE 13.1 are vulnerable to CVE-2014-6277 which is in direct conflict of what's stated in https://www.suse.com/support/shellshock/ with the following paragraph: 

"There have been additional disclosures about related security vulnerabilities involving the Bash shell, but your SUSE Linux Enterprise-based systems are not impacted if they have recently been patched. The patches provided for CVE-2014-6271 and CVE-2014-7169 also take care of these new issues. CVE-2014-6277 and CVE-2014-6278 describe these new issues in greater detail."
Comment 1 Sebastian Krahmer 2014-10-08 07:57:50 UTC
As answered by email:

I think that works as expected. You are using weak quotes.

If you use ' rather than ", its all fine. The cat command
is expanded as it should.

Thats the same as echo '$(id)' vs. echo "$(id)"
The () {... is just garbage, the backticks and weak quotes do the