[fabulist]

Test your local machine:

export evil='() { :;}; echo vulnerable'; bash -c echo;

Vulnerable computers will print 'vulnerable'.

Test a CGI:

curl -i -X HEAD "http://website" -A '() { :;}; echo "Warning: Server Vulnerable"'

Vulnerable scripts will emit a "Warning" header. If you get a 405 error, try it with a GET request.

I don't know the PoC fo new version which wiggles around the patch.

I've tried the PoC on ksh, csh, and dash; if they're effected, its more nuanced. Its advisable to rename bash, and replace it with a symlink to dash; it shouldn't break any scripts, and even if it does its better than getting owned.

mv /bin/bash /bin/_bash

chmod ugo-x /bin/_bash

ln -s /bin/dash /bin/bash

[agwa]

> Its advisable to rename bash, and replace it with a symlink to dash; it shouldn't break any scripts

It most certainly will. dash provides a tiny subset of bash's functionality. Even scripts using #!/bin/sh often contain bashisms; a script using #!/bin/bash is certain to contain bashisms.

If you really want to swap out bash, swapping it out with ksh is likely to break fewer scripts (though it could still break scripts - ksh and bash are similar but not the same - so I don't recommend you do this).

And neither dash nor ksh have this "feature" of exporting functions through environment variables.

[fabulist]

You're right, and I didn't find this out until after I couldn't edit my post. My mistake.

I still contend that its a good idea. Most shell scripts used by the OS are written to dash in my experience; if you break ones you've added yourself, this is perhaps a good opportunity to review their security.

[rsync]

Actually, the first test would be 'which bash', since not all systems have it installed by default.

Notably, FreeBSD, which has never included it by default.

[valamit]

so

    bash: warning: evil: ignoring function definition attempt
    bash: error importing function definition for `evil'

would mean it's not?

[yoha]

That's the message you get on a patched machine. However, the patch is not sufficient: https://news.ycombinator.com/item?id=8365216 .

[josteink]

So from what I can tell, neither my Raspbian or Ubuntu setups have this second vulnerability properly patched yet (although they have the first one).

I guess I'll just have to wait until it becomes available. They're usually pretty responsive about issues like this.

[berkut]

Or an earlier version of bash (4.1), which I'm assuming (haven't installed any patches within the last month on a centOS6 machine) hasn't got the issue?

[bodyfour]

If you see that "ignoring function definition attempt" message you definitely have the first patch applied (but not necessarily a fix for the second problem) That diagnositc was added by the patch itself. See http://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-012

Maybe you have auto-update turned on and didn't realize it?

[ams6110]

It has, there is a patch for bash 4.1

ftp://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-012