Re: Issues with exported functions
I currently have this problem with the latest bash from Arch linux which is
biting my at(1) commands. Exported functions make the environment
non-parseable.
##
robin@bunyip:~
$ export -nf psg hsg #clean out my exported functions
robin@bunyip:~
$ (env;echo echo 'hello') | bash
hello
robin@bunyip:~
$ bilbo(){
> echo 'precious'
> }
robin@bunyip:~
$ export -f bilbo
robin@bunyip:~
$ (env;echo echo 'hello') | bash
bash: line 29: syntax error near unexpected token `='
bash: line 29: `BASH_FUNC_bilbo()=() { echo 'precious''
robin@bunyip:~
$
###
latest bash changes can be seen here (various CVE stuff).
https://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/bash&id=66b6f8f71f48b425c53b781c531697988413e503
Re: Issues with exported functions
On Saturday, September 27, 2014 3:51:23 PM UTC+1, Andreas Schwab wrote: > becker...@gmail.com writes: > > > > > $ (env;echo echo 'hello') | bash > > > > You cannot expect that the output of env is parsable by a shell. First > > and foremost, it lacks any kind of quoting. env may not be the issue, but the at command is fairly ancient in unix terms; it is well documented in the 1983 version of 'The UNIX System' by S.R.Bourne. The at(1) command breaks if the latest bash(4.3.026-1) is used in Arch linux brokenness is observable. The current patches break stuff.
Re: Bash-4.3 Official Patch 27
On Sunday, September 28, 2014 3:50:07 AM UTC+1, Chet Ramey wrote: > BASH PATCH REPORT > .. > -- > > ``The lyf so short, the craft so long to lerne.'' - Chaucer > >``Ars longa, vita brevis'' - Hippocrates > > Chet Ramey, ITS, CWRUc If I use the Arch linux [testing] bash-4.3.027-1 which is uses this patch then I have a patch against the at(1) source which converts exported functions into something that sh can parse and allows exported functions to be used in the environment that calls at. Looking at this list it's not clear to me if the dust has settled on the shellshock fixes. Should I wait before sharing my patch or not? Also is there anyone here who knows where such a patch should be sent?
Re: Bash-4.3 Official Patch 27
On Sunday, September 28, 2014 4:38:24 PM UTC+1, beck...@gmail.com wrote: .. > If I use the Arch linux [testing] bash-4.3.027-1 which is uses this patch > then I have a patch against the at(1) source which converts exported > functions into something that sh can parse and allows exported functions to > be used in the environment that calls at. > ... Jon Seymour asked me if my at patch would fix the following vulnerablity (presumably in at(1)) echo pwd | env "/tmp/exploit=me" at tomorrow which I presume relies on acceptance of /tmp/exploit=me as a possible command. I'm not sure it does since the current at code writes the variable name out unconditionally (ie no inspection of characters etc etc). I could probably raise an error for bad variable names, but I'm not sure I understand what characters are now illegal or what the lexical definition of bash/sh variable names is now. So I would appreciate advice on that.
Re: Bash-4.3 Official Patch 27
> I'd send it to your vendor. If appropriate they can send it upstream.
>
>
>
> Chet
I've sent this to a debian person following advice on the Arch list I initially
asked. I probably won't get used as I imagine they'll want a more general
approach to all the various versions of the bash fixes. Our ubuntu servers are
showing .025 right now and have environments with BASH_FUNC_()='()
{}' in them. Luckily I'm not using at on any of them and cron seems
unaffected.
Thanks for all the hard work on these panic issues.
