CVE-2014-6271, CVE-2014-7169: remote code execution in bash

Details about the vulnerability in Bash were published today.
In short, Bash allows you to export functions as environment variables:

$ myfunc() { echo "Hello"; } $ export -f myfunc $ env | grep -A1 ^myfunc myfunc=() { echo "Hello" } 

The vulnerability is that if you add another command after the function body (after the last "}" character) and export it, it will be executed when the child interpreter is called:

 $ env x='() { :; }; echo "Oh..."' /bin/bash -c /sbin/nologin Oh... This account is currently not available. 

')
This, in turn, allows you to do interesting things - for example, if you have a CGI script in Perl that calls Bash - an attacker can construct an HTTP packet that will contain malicious code. This code will get into Bash through environment variables and will be executed.

All versions of Bash are vulnerable, starting with bash-1.14 (information from shellshocker.net ).
In certain circles, vulnerability is called "Bashdoor" - it is not surprising.

More details can be easily downloaded using the CVE ID.

UPD 2014-09-24: Some “Hindu” security blogs attribute “privilege escalation” to the name of the vulnerability. This is not true - no privilege escalation, the code is executed with the rights of the same user, under which the “parent” shell runs.
On Twitter, vulnerability dubbed shellshock.

UPD 2014-09-25: the fix for CVE-2014-6271 was incomplete, the identifier CVE-2014-7169 was assigned to the new vulnerability. Details are in the comments to the post.

UPD 2014-09-26: fix for CVE-2014-7169 available in the repositories of the main distributions. Red Hat Product Security posted a small FAQ on their blog.