Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-pc-linux-gnu'
-DCONF_VENDOR='pc' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL
-DHAVE_CONFIG_H -I. -I../. -I.././include -I.././lib
-D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4
-Wformat -Werror=format-security -Wall
uname output: Linux sojojojo 3.13.0-37-generic #64-Ubuntu SMP Mon Sep 22
21:28:38 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu
Bash Version: 4.3
Patch Level: 11
Release Status: release
Description:
Shell wrongly attaches stdin piped to command sequence with syntax error
Repeat-By:
On a login shell or interactive shell, paste the following command:
for x in 1 ; do echo $( { echo } ) ; done < <( echo touch /tmp/x2 )
The handling of the syntax error will cause stdin of the command
to become attached to the login shell, which will then execute:
touch /tmp/x2
and then logout.
This bogus behaviour does not occur if the for-loop is dropped from
the example.
This script demonstrates the problem in a shell script, where stdin
of the entire script is diverted, though not necessarily the
commands to be executed
#! /bin/bash
set -x
for x in 1 ; do echo $( { echo } ) ; done < <( echo touch /tmp/x2 )
cat
The text "touch /tmp/x2" is emitted to stdout
As this depends on a syntax error I haven't worked out how it might
be exploited as a security hole
