bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CERT/NIST reveal level 10 bash alert today, 24 September 2014


From: Alexandre Ferrieux
Subject: CERT/NIST reveal level 10 bash alert today, 24 September 2014
Date: Thu, 25 Sep 2014 16:48:09 +0200

Is the response (workarounds and patch) being discussed elsewhere ?


(1) Patch

Looking at the code, it seems that the problem is that in
 initialize_shell_variables(), when an inheritable function is detected in
the environment by the "() {" prefix, we then directly
call parse_and_execute(), on the whole string.
Obviously this includes any trailing commands after "} ;". A proper fix
would need to tweak the parser to do a parse_and_execute_one_command().
Anybody already working along those lines ?

(2) Workaround

Privileged mode skips the import of functions from the environment, hence
"#! /bin/bash -p" is a quick fix.
I assume that 99.9% of uses would be unaffected by the other side-effects
of -p.
Am I missing something ?

-Alex


reply via email to

[Prev in Thread] Current Thread [Next in Thread]