On 09/24/2014 08:27 AM, Chet Ramey wrote: > BASH PATCH REPORT > ================= > > Bash-Release: 4.3 > Patch-ID: bash43-025 > > Bug-Reported-by: Stephane Chazelas <stephane.chaze...@gmail.com> > Bug-Reference-ID: > Bug-Reference-URL:
https://bugzilla.redhat.com/show_bug.cgi?id=1141597 describes this bug (aka CVE-2014-6271), and points out that even _with_ this patch, there is still a flaw that attackers can use to overwrite portions of the filesystem, which is also a possible exploitation avenue: $ ls -l date ls: cannot access date: No such file or directory $ env -i X='() { (a)=>\' bash -c 'date' bash: X: line 1: syntax error near unexpected token `=' bash: X: line 1: `' bash: error importing function definition for `X' $ ls -l date -rw-------. 1 taviso taviso 0 Sep 24 14:06 date > *** 359,369 **** > strcpy (temp_string + char_index + 1, string); > > ! if (posixly_correct == 0 || legal_identifier (name)) > ! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); > ! > ! /* Ancient backwards compatibility. Old versions of bash exported > ! functions like name()=() {...} */ Personally, I think that exporting functions via names that CANNOT be valid normal variables, rather than excluding a subset of values to normal variables that cannot be exported, would be the better course of action. It seems quite odd that my choice of whitespace in what I thought was an arbitrary string assignment to a normal variable will determine what my child process will see: $ f='(){ :; }' bash -c 'type f; echo "\"$f\""' bash: line 0: type: f: not found "(){ :; }" $ f='() { :; }' bash -c 'type f; echo "\"$f\""' f is a function f () { : } "" and I'd feel much more comfortable with exporting f()=... as the backdoor for passing the function definition, _particularly_ since the shell already allows functions and variables to co-exist: $ bash -c 'export f=hello; f() { echo goodbye; }; echo "\"$f\""; f' "hello" goodbye Here's hoping there's more official patches forthcoming. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
