Can someone provide a patch which removes the whole stupid misfeature
from bash?
Programs do not need to inject executable code into their children via
environment variables, even if it is parsed properly. Shell scripted
applications should properly source all of the functions which they
need. Personal scripts can obtain functions from the user's .bashrc
file.
If an attacker somehow gains control over being able to define an
arbitrary environment variable, the attacker can replace a command like
"echo" with a harmful function. (That this is possible is easily
verified by a simple test at your system prompt; it's just a matter of
the attacker being able to somehow define an environment variable called
"echo").
Being able to define arbitrary environment variable names with untrusted
content is a hole in itself, but this feature instantly amplifies the
hole into an exploit.
At the very least, there should be a loud option to turn on this
inheritance behavior in the child bash, like "bash
--parse-functions-from-environment". If this optionn is not supplied,
then this behavior doesn't occur; variables with contents like "() {
.... }" are left alone.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
