On 2014-09-25 03:54:19 +0800, lolilolicon wrote:
> I think almost as severe as CVE-2014-6271 is that it's still possible to
> mask commands in a bash script by changing it's environment.
> 
> For example, true='() { false;}' or grep='() { /bin/id;}' ...
Yes, and BTW, I don't think this is POSIX compliant:

  8.1 Environment Variable Definition

  [...] The name space of environment variable names containing
  lowercase letters is reserved for applications. Applications can
  define any environment variables with names from this name space
  without modifying the behavior of the standard utilities.

This means that some application like sudo that needs to clean up
the environment could choose to keep these environment variables
with lowercase letters, and this could have really bad effects if
a bash script is executed.

-- 
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply via email to