CGI::Application and recent bash security hole

gvim gvimrc at
Fri Sep 26 13:06:01 BST 2014

> There's a second vulnerability that escapes the first bug patch.
>   env X="() { (a)=>\\" bash -c '/dev/stdout date'
> If this prints the date, you still have a hole where bash can write content
> to arbitrary files. ( And this trick somehow makes it write the date to
> /dev/stdout.  )

Kreist, I'm up **it Creek after all :(


More information about the mailing list