From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-hardened+bounces-4816-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 6143413838B
	for <garchives@archives.gentoo.org>; Thu, 25 Sep 2014 00:14:28 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id D0813E0885;
	Thu, 25 Sep 2014 00:14:25 +0000 (UTC)
Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 07B8BE0810
	for <gentoo-hardened@lists.gentoo.org>; Thu, 25 Sep 2014 00:14:24 +0000 (UTC)
Received: by mail-we0-f182.google.com with SMTP id u57so5181602wes.41
        for <gentoo-hardened@lists.gentoo.org>; Wed, 24 Sep 2014 17:14:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:cc:subject:openpgp
         :content-type;
        bh=X4/hbDhBtZ4t4CPwSPwAH3UNLIBiOZD4LN1OkUIhPPo=;
        b=A3u8l8RUumEh+pDKbxBp5ZQUBJRXaiFUTcEnR3Pw6HPaxYtRr5PNEgDL24DNkLwT+L
         W9br+VS7yxHVvDXxxbd9NX8+RGPekdGjm+wxuy0IfbDSWKECbkuLLQqkjfTsXTnBdvzD
         loNCv2/1WhiPnk5xDgGnl7w9Puj9/9IOeYBpIt9Ry7cA35to3n5hO8izilAABzwZFAKr
         kBqGs9eHt+JCgmzg+rFxjqGrXubn4/X/SR1XdseYb4+os8hrf4dGGr/hxa1lqTScSkYQ
         sYn3AA6G6qpY/HLf4p0fnn70lloC/d3scH1y717SV1kSr5+hjL65MB4JVULTBlFZz/3n
         W6ww==
X-Received: by 10.194.121.232 with SMTP id ln8mr11669145wjb.65.1411604063615;
        Wed, 24 Sep 2014 17:14:23 -0700 (PDT)
Received: from [178.212.40.136] (host-178.212.40.136-internet.zabrze.debacom.pl. [178.212.40.136])
        by mx.google.com with ESMTPSA id n3sm7353801wiy.10.2014.09.24.17.14.22
        for <multiple recipients>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 24 Sep 2014 17:14:23 -0700 (PDT)
Message-ID: <54235E5B.4090603@gmail.com>
Date: Thu, 25 Sep 2014 02:14:19 +0200
From: Jacek <wampir98@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 5.1, rv:17.0) Gecko/20130215 Thunderbird/17.0.3
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-hardened@lists.gentoo.org
CC: polynomial-c@gentoo.org
Subject: [gentoo-hardened] Bash in Gentoo is vulnerable.
OpenPGP: id=D39AB54C
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="wK1Ap62eLnI0oMajuEsndw1DGAcGCRChQ"
X-Archives-Salt: a51af281-258d-4541-aba0-0b418dd85f11
X-Archives-Hash: ff702c8348ba9857c0975a86cea7179c

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--wK1Ap62eLnI0oMajuEsndw1DGAcGCRChQ
Content-Type: multipart/alternative;
 boundary="------------080103030800080306080400"

This is a multi-part message in MIME format.
--------------080103030800080306080400
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Bash in Gentoo (app-shells/bash-4.2_p45)  is vulnerable to this threat:

https://bugzilla.redhat.com/show_bug.cgi?id=3DCVE-2014-6271


Simple test:

|$ env x=3D'() { :;}; echo vulnerable' bash -c "echo this is a test"|


Cheers
;-)

--------------080103030800080306080400
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>
  <head>

    <meta http-equiv=3D"content-type" content=3D"text/html; charset=3Dutf=
-8">
    <link href=3D"chrome://translator/skin/floatingPanel.css"
      type=3D"text/css" rel=3D"stylesheet">
  </head>
  <body bgcolor=3D"#FFFFFF" text=3D"#000000">
    Bash in Gentoo (app-shells/bash-4.2_p45)=C2=A0 is vulnerable to this
    threat:<br>
    <br>
    <a class=3D"moz-txt-link-freetext" href=3D"https://bugzilla.redhat.co=
m/show_bug.cgi?id=3DCVE-2014-6271">https://bugzilla.redhat.com/show_bug.c=
gi?id=3DCVE-2014-6271</a><br>
    <br>
    <br>
    Simple test:<br>
    <p><code>$ env x=3D'() { :;}; echo vulnerable' bash -c "echo this is =
a
        test"</code></p>
    <br>
    Cheers<br>
    ;-)<br>
    <div style=3D"bottom: auto; left: 76px; right: auto; top: 177px;
      display: none;" class=3D"translator-theme-default"
      id=3D"translator-floating-panel">
      <div title=3D"Kliknij, by przet=C5=82umaczy=C4=87"
        id=3D"translator-floating-panel-button"></div>
    </div>
  </body>
</html>

--------------080103030800080306080400--

--wK1Ap62eLnI0oMajuEsndw1DGAcGCRChQ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EAREIAAYFAlQjXl4ACgkQBp5lD9OatUwm/QEAg6mSN4nOmVQgozRIhoxqsOme
+VEyHlHwAbJtdTfzVDMA/2daRxqb0VXMoswkZ6NHUpd55PDy17iyUfagI5qlvWqq
=QyVK
-----END PGP SIGNATURE-----

--wK1Ap62eLnI0oMajuEsndw1DGAcGCRChQ--