1

I just updated Ubuntu from an Update pop-up. I am aware of Shellshock, so I quickly went ahead with the install. Now, when I try running 

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

I don't get the output (which I was getting before)

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello

as described in What is the CVE-2014-6271 bash vulnerability (Shellshock) and how do I fix it?

Rather, now I just get 'hello'. Is it safe to assume the updates that I installed hides these error messages? After reviewing the Software Center, I see the follwoing updates I installed:

unity-settings-daemon (14.04.0+14.04.20140414-0ubuntu1, 14.04.0+14.04.20140606-0ubuntu1
aptdaemon-data (1.1.1-1ubuntu5, 1.1.1-1ubuntu5.1)
python-aptdaemon.gtk3widgets (1.1.1-1ubuntu5, 1.1.1-1ubuntu5.1)
bash (4.3-7ubuntu1.3, 4.3-7ubuntu1.4)
python-aptdaemon (1.1.1-1ubuntu5, 1.1.1-1ubuntu5.1)

More specificly, does 4.3-7ubuntu1.4 hide the function definition attempt error message? Sorry for the suspicion but after some Googling, I have yet to find a similar problem. Any clarity will be much appreciated. Thanks!

Community
  • 1
jerseybyte
  • 113
  • 4

1 Answers1

4

According to this Fedora Magazine post:

env x='() { :;}; echo OOPS' bash -c :

This will print “OOPS” on a vulnerable system, but exit silently if bash has been patched.

This is the behaviour seen on:

  • Debian squeeze (bash package 4.1-3+deb6u2)
  • CentOS 6.5 (bash package 0:4.1.2-15.el6_5.2)
  • Arch Linux (bash package 4.3.026-1)

I speculate that this is how the fix is intended to make it behave, but for some reason, Ubuntu's initial bash patches produced the error instead of ignoring the extra code silently.

mattdm's comment:

The initial patches were actually intended to produce the error when a bad function definition was found in an environment variable. The updated patches only even look in specially-prefixed variables, which eliminates all most all of the real-world risk. Try env 'BASH_FUNC_x()'='() { :;}; echo OOPS' bash -c : — you should see an error.

I have verified this:

$ env 'BASH_FUNC_x()'='() { :;}; echo OOPS' bash -c :
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x`
$ bash --version | head -1
GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)
$ apt-cache policy bash | grep Installed
  Installed: 4.3-7ubuntu1.4
Community
  • 1
muru
  • 197,895
  • 55
  • 485
  • 740
  • 1
    The initial patches were actually intended to produce the error when a bad function definition was found in an environment variable. The updated patches only even look in specially-prefixed variables, which eliminates all most all of the real-world risk. Try env 'BASH_FUNC_x()'='() { :;}; echo OOPS' bash -c : — you should see an error. – mattdm Sep 30 '14 at 22:01
  • (I'm assuming that Ubuntu is using the same patch we are; there might be a minor difference.) – mattdm Sep 30 '14 at 22:02
  • @mattdm Thanks, you're correct! (Who's "we", btw?) – muru Oct 01 '14 at 08:05
  • "We" in that context is Fedora. – mattdm Oct 01 '14 at 14:43
  • @mattdm Ah, I didn't realize you were the author of the linked post. Great post, thanks! – muru Oct 01 '14 at 19:29
  • Thank you. And an update: the patch accepted upstream now uses %% for the suffix instead of (), so it'll be BASH_FUNC_x%% – mattdm Oct 01 '14 at 22:32