On 26 September 2014 19:44, Saso Kiselkov <skiselkov...@gmail.com> wrote: > On 9/27/14, 1:41 AM, Nemo wrote: [...] >> Whence does the OI bash source originate? On the bash that comes with >> Solaris 10, the vulnerability is not present: >> >> [~]=> bash --version >> GNU bash, version 3.00.16(1)-release (sparc-sun-solaris2.10) >> Copyright (C) 2004 Free Software Foundation, Inc. >> [~]=> env X="() { :;} ; echo busted" /bin/sh -c "echo completed" >> completed > > In general, bash != /bin/sh on either Solaris or Illumos-derived > systems. Rerun the env test with bash instead of /bin/sh.
[~]=> echo $SHELL /bin/bash [~]=> env X="() { :;} ; echo busted" /bin/sh -c "echo completed" completed Note that I put bash into /bin to avoid GNUisms. N. _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss