CGI::Application and recent bash security hole
Dave Cross
dave at dave.org.uk
Fri Sep 26 16:11:10 BST 2014
Quoting gvim <gvimrc at gmail.com>:
>>
>> There's a second vulnerability that escapes the first bug patch.
>>
>> env X="() { (a)=>\\" bash -c '/dev/stdout date'
>>
>> If this prints the date, you still have a hole where bash can write content
>> to arbitrary files. ( And this trick somehow makes it write the date to
>> /dev/stdout. )
>>
>
> Kreist, I'm up **it Creek after all :(
Your distro almost certainly has a second patch already available.
Just update your installed package.
This article seems pretty good:
http://perltricks.com/article/115/2014/9/26/Shellshock-and-Perl
Dave...
More information about the london.pm
mailing list