0

My Bash shell version is GNU bash, version 4.1.2(2)-release (x86_64-redhat-linux-gnu).

I tested shellshock bug by using below command 

x='() { :;}; echo VULNERABLE' bash -c :.

It was not printed VULNERABLE message back.

I have read that the bug exist up to bash version 4.3 ( https://www.youtube.com/watch?v=u1H12rMdLTg )

what could be the reason.

fedorqui
  • 275,237
  • 103
  • 548
  • 598
Jobs
  • 1,257
  • 2
  • 14
  • 27
  • 2
    Almost all distros released out-of-band patches. Just because it wasn't fixed *upstream* until 4.3 doesn't mean that your distro are a bunch of incompetents. – Charles Duffy Feb 01 '17 at 15:39
  • ...if your OS is genuinely Red Hat, they had a patch out within days. Not one fully compatible with the final version's environment variable format for exported functions, but a working patch nonetheless. – Charles Duffy Feb 01 '17 at 15:40
  • "GNU/Linux" is a generic name for *all* operating systems combining a Linux kernel and a GNU userland. Red Hat is only one of the many, many distributions following this pattern. Which is to say, the question doesn't make sense. – Charles Duffy Feb 01 '17 at 15:43
  • All distributions -- Red Hat, Arch, Debian, Ubuntu, all of them -- apply patches to their packages, making them slightly different from what upstream releases. That's where their added value comes from -- they're providing a set of packages tested to work well together, with patches for compatibility issues, security bugs, etc. – Charles Duffy Feb 01 '17 at 15:44
  • BTW, I'm inclined to argue that this isn't really a question about software development. Perhaps [Unix SE](https://unix.stackexchange.com/) might be more appropriate? But wherever you ask it, be sure to provide your distro name and package version. – Charles Duffy Feb 01 '17 at 15:46
  • Why the distro name and package is important here , this is the bug of Bash right? – Jobs Feb 01 '17 at 15:56
  • but it's your distro that's packaging bash, and part of packaging is applying patches. So bash-as-distributed-by-Ubuntu or bash-as-distributed-by-Red-Hat are all a little bit different from upstream bash. – Charles Duffy Feb 01 '17 at 15:57
  • for instance, `/dev/tcp` is actually turned off by default in upstream bash (requires a compile-time flag to turn it on), but it probably works for you, right? That's something your distro did when they were building the package. – Charles Duffy Feb 01 '17 at 15:58
  • Yeah , Got it . Thanks a lot Charles :) – Jobs Feb 01 '17 at 15:58

1 Answers1

2

Updated packages with patches backported to the locally-supported version of bash were released for major distros within days of shellshock being identified. (Indeed, they were released in rather a hurry, and the interim fixes often used a different environment variable format for exported functions than what the final releases do, meaning that a function exported in one version of the shell often won't be recognized by another running as a subprocess).

Just because upstream didn't have a final patch merged doesn't mean your operating system or distribution didn't push a backport -- indeed, it would be wildly irresponsible for them not to.

Charles Duffy
  • 280,126
  • 43
  • 390
  • 441