[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issues with exported functions

From: Greg Wooledge
Subject: Re: Issues with exported functions
Date: Wed, 24 Sep 2014 16:07:33 -0400
User-agent: Mutt/

On Thu, Sep 25, 2014 at 03:54:19AM +0800, lolilolicon wrote:
> I think almost as severe as CVE-2014-6271 is that it's still possible to
> mask commands in a bash script by changing it's environment.
> For example, true='() { false;}' or grep='() { /bin/id;}' ...

I'm still waiting for someone to successfully exploit this and post
it to Chet.  Or maybe someone already did, and it's being kept quiet.

Of course, this category of exploit would require a reasonable guess
about which commands a script is going to use.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]