Bugtraq mailing list archives
Re: Bash Bug
From: chet () NIKE INS CWRU EDU (Chet Ramey)
Date: Thu, 22 Apr 1999 15:44:35 -0400
On Tue, 20 Apr 1999, Shadow wrote:mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "Bash 1.x screws up during PS1 substitution (\w, \W). Bash 2.x does not seem to be vulnerable. Anyway, there's a hope even for those who want to stick to 1.x: replace \w with $PWD, \W with ${PWD##*/} (no guarantee).
This is correct; the bug was fixed in bash-2.0, which was released in December, 1996. If you're still running 1.14.x, or earlier versions, you should upgrade to bash-2.03. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ( ``Discere est Dolere'' -- chet) Chet Ramey, Case Western Reserve University Internet: chet () po CWRU Edu
Current thread:
- Re: Corrected Linux 2.2.5 FIN/NULL/XMAS block patch, (continued)
- Re: Corrected Linux 2.2.5 FIN/NULL/XMAS block patch Taral (Apr 20)
- Re: Plain text passwords--necessary Taral (Apr 19)
- Re: Plain text passwords--necessary Trevor Schroeder (Apr 19)
- bug in ssh allowing to be invissible Grzegorz Stelmaszek (Apr 19)
- Re: bug in ssh allowing to be invissible Pete (Apr 20)
- Re: bug in ssh allowing to be invissible Joe Gross (Apr 20)
- NetBSD Security Advisory 1999-009 matthew green (Apr 20)
- Bash Bug Shadow (Apr 20)
- Re: Bash Bug Marc Lehmann (Apr 21)
- Re: Bash Bug Pavel Kankovsky (Apr 22)
- Re: Bash Bug Chet Ramey (Apr 22)
- L0pht Security Advisory: Cold Fusion App Server Weld Pond (Apr 21)
- Re: Plain text passwords--necessary Densin Roy. (Apr 19)
- Re: Plain text passwords--necessary Daniel Alex Finkelstein (Apr 19)
- AOL Instant Messenger URL Crash Adam Brown (Apr 19)
- Re: AOL Instant Messenger URL Crash Daniel Reed (Apr 20)
- Shopping Carts exposing CC data Joe (Apr 19)
- Re: Shopping Carts exposing CC data Joe (Apr 20)
- Outlook 98 allows spoofing internal users Nate Lawson (Apr 20)
- Re: Outlook 98 allows spoofing internal users Peter van Dijk (Apr 25)
- Re: Shopping Carts exposing CC data Louis R. Marascio (Apr 20)