I am checking my systems with the following command:
env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
Which gives me: "completed", with no "busted", which seems good. So I tried again with:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Which results in:
bash: warning: testbug: ignoring function definition attempt
bash: error importing function definition for `testbug'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Which again, seems good. However, when I run:
env x='()' ; echo vulnerable; bash -c "echo this is a test"
I get a dump of all environmental vars, followed by:
_=/usr/bin/env
x=()
vulnerable
bash: warning: testbug: ignoring function definition attempt
bash: error importing function definition for `testbug'
this is a test
Now I am concerned. Should I be?
EDIT: The two references to 'testbug' are due to a prior test which defined that variable. I unset that variable and the rest of the output still shows up