On Thu, Oct 02, 2014 at 07:22:57AM +1000 John Mann said:
On 2 October 2014 00:22, Douglas Ray <dougray@cpan.org> wrote:
... The only system with a real compromise was OS-X, the /bin/sh being a bash.
Apple have released an updated version of bash http://support.apple.com/kb/HT1222 http://support.apple.com/kb/HT6495 http://support.apple.com/kb/DL1769 ...
But: a) only first 2 CVEs are fixed.
$ bash --version GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13) Copyright (C) 2007 Free Software Foundation, Inc.
$ env '__BASH_FUNC<ls>()'="() { echo Game Over; }" /bin/sh -c ls Game Over
b) the security fix is not pushed to all Macs by default.
Fixes for older versions of OS X are available here: http://tenfourfox.blogspot.com.au/2014/09/bashing-bash-one-more-time-updated... Sam