On 09/26/2014 02:57 PM, Alan Wild wrote: > I want to apologize for adding more confusion to this issue. My statements > about CVE-2014-7169 where incorrect and misguided. This change does not > remove function exporting but only changes how the function names are > encoded as variable names.
Actually, Chet's fix for CVE-2014-7169 (patch 26, mentioned here: http://www.openwall.com/lists/oss-security/2014/09/26/1) does NOT change how function names are encoded; that is a separate patch (such as this one that Red Hat is using: http://www.openwall.com/lists/oss-security/2014/09/25/13). I'm hoping that Chet will accept the direction that Red Hat has already decided to go and issue patch 27 as a result, but that is still under discussion. But yes, it means that the market is now fragmented - upstream bash and Red Hat bash currently use DIFFERENT syntax for converting raw exports into functions. Please read Red Hat's knowledge base article: https://access.redhat.com/articles/1200223 > If it helps reduce the confusion, machines with the older bash releases or > CVE-2014-6271 would export a function as follows: > > -bash-3.2$ bash -c 'x() { echo "functions still work" "$@"; }; export -f x; > env | egrep "functions still work"' > x=() { echo "functions still work" "$@" > but after the patch you get By "the patch", you are here referring to Red Hat's patch, not Chet's. > > -bash-3.2$ bash -c 'x() { echo "functions still work" "$@"; }; export -f x; > env | egrep "functions still work"' > BASH_FUNC_x()=() { echo "functions still work" "$@" Correct, this is symptomatic of a Red Hat build. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
