Eric Blake wrote: > This is a known issue, but NOT necessarily a security bug. In other > words, it's no worse than running: > > env LD_PRELOAD=... ./test.sh > > with a malicious preload library. Remember, the security aspect of > CVE-2014-6271 is that bash does unwanted parsing of the _contents_ of an > environment variable, and NOT that it is tied to the _name_ of the > variable. The exploit happens because well-known programs stick > user-controlled contents into a name already under the program's > control, and NOT because well-known programs are creating arbitrary > names in the environment (that is, a vulnerable system running apache is > NOT creating arbitrary variables, so much as sticking arbitrary contents > into a variable named HTTP_...).
Thanks. I understood that issue by CVE-2014-6271 is in below. - bash does unwanted parsing of the _contents_ of an environment variable - CVE-2014-6271 can be caused by any envoronment variable. In my case, both conditions aren't filled.
