[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bash-4.3 Official Patch 25

From: Eric Blake
Subject: Re: Bash-4.3 Official Patch 25
Date: Wed, 24 Sep 2014 15:38:31 -0600
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0

On 09/24/2014 08:27 AM, Chet Ramey wrote:
>                            BASH PATCH REPORT
>                            =================
> Bash-Release: 4.3
> Patch-ID:     bash43-025
> Bug-Reported-by:      Stephane Chazelas <address@hidden>
> Bug-Reference-ID:
> Bug-Reference-URL:

https://bugzilla.redhat.com/show_bug.cgi?id=1141597 describes this bug
(aka CVE-2014-6271), and points out that even _with_ this patch, there
is still a flaw that attackers can use to overwrite portions of the
filesystem, which is also a possible exploitation avenue:

$ ls -l date
ls: cannot access date: No such file or directory
$ env -i  X='() { (a)=>\' bash -c 'date'
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
$ ls -l date
-rw-------. 1 taviso taviso 0 Sep 24 14:06 date

> *** 359,369 ****
>         strcpy (temp_string + char_index + 1, string);
> !       if (posixly_correct == 0 || legal_identifier (name))
> !         parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
> ! 
> !       /* Ancient backwards compatibility.  Old versions of bash exported
> !          functions like name()=() {...} */

Personally, I think that exporting functions via names that CANNOT be
valid normal variables, rather than excluding a subset of values to
normal variables that cannot be exported, would be the better course of
action.  It seems quite odd that my choice of whitespace in what I
thought was an arbitrary string assignment to a normal variable will
determine what my child process will see:

$ f='(){ :; }' bash -c 'type f; echo "\"$f\""'
bash: line 0: type: f: not found
"(){ :; }"
$ f='() { :; }' bash -c 'type f; echo "\"$f\""'
f is a function
f ()

and I'd feel much more comfortable with exporting f()=... as the
backdoor for passing the function definition, _particularly_ since the
shell already allows functions and variables to co-exist:

$ bash -c 'export f=hello; f() { echo goodbye; }; echo "\"$f\""; f'

Here's hoping there's more official patches forthcoming.

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]