Re: Bash-4.3 Official Patch 25

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bash-4.3 Official Patch 25

From:	Eric Blake
Subject:	Re: Bash-4.3 Official Patch 25
Date:	Wed, 24 Sep 2014 15:38:31 -0600
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0

On 09/24/2014 08:27 AM, Chet Ramey wrote:
>                            BASH PATCH REPORT
>                            =================
> 
> Bash-Release: 4.3
> Patch-ID:     bash43-025
> 
> Bug-Reported-by:      Stephane Chazelas <stephane.chazelas@gmail.com>
> Bug-Reference-ID:
> Bug-Reference-URL:

https://bugzilla.redhat.com/show_bug.cgi?id=1141597 describes this bug
(aka CVE-2014-6271), and points out that even _with_ this patch, there
is still a flaw that attackers can use to overwrite portions of the
filesystem, which is also a possible exploitation avenue:

$ ls -l date
ls: cannot access date: No such file or directory
$ env -i  X='() { (a)=>\' bash -c 'date'
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
$ ls -l date
-rw-------. 1 taviso taviso 0 Sep 24 14:06 date


> *** 359,369 ****
>         strcpy (temp_string + char_index + 1, string);
>   
> !       if (posixly_correct == 0 || legal_identifier (name))
> !         parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
> ! 
> !       /* Ancient backwards compatibility.  Old versions of bash exported
> !          functions like name()=() {...} */

Personally, I think that exporting functions via names that CANNOT be
valid normal variables, rather than excluding a subset of values to
normal variables that cannot be exported, would be the better course of
action.  It seems quite odd that my choice of whitespace in what I
thought was an arbitrary string assignment to a normal variable will
determine what my child process will see:

$ f='(){ :; }' bash -c 'type f; echo "\"$f\""'
bash: line 0: type: f: not found
"(){ :; }"
$ f='() { :; }' bash -c 'type f; echo "\"$f\""'
f is a function
f ()
{
    :
}
""

and I'd feel much more comfortable with exporting f()=... as the
backdoor for passing the function definition, _particularly_ since the
shell already allows functions and variables to co-exist:

$ bash -c 'export f=hello; f() { echo goodbye; }; echo "\"$f\""; f'
"hello"
goodbye

Here's hoping there's more official patches forthcoming.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

Bash-4.3 Official Patch 25, Chet Ramey, 2014/09/24
- Re: Bash-4.3 Official Patch 25, Eric Blake <=
  - Re: Bash-4.3 Official Patch 25, Ángel González, 2014/09/24
    - Re: Bash-4.3 Official Patch 25, Wesley Hirsch, 2014/09/25
    - Re: Bash-4.3 Official Patch 25, Chet Ramey, 2014/09/25
  - Re: Bash-4.3 Official Patch 25, Chet Ramey, 2014/09/25
    - Re: Bash-4.3 Official Patch 25, Eric Blake, 2014/09/25
    - Re: Bash-4.3 Official Patch 25, Greg Wooledge, 2014/09/26
    - Re: Bash-4.3 Official Patch 25, Eric Blake, 2014/09/26
  - Message not available
    - Re: Bash-4.3 Official Patch 25, mark, 2014/09/26
- Re: Bash-4.3 Official Patch 25, Jason Vas Dias, 2014/09/25
  - Re: Bash-4.3 Official Patch 25, Greg Wooledge, 2014/09/25

Prev by Date: Re: Issues with exported functions
Next by Date: Re: Bash-4.3 Official Patch 25
Previous by thread: Bash-4.3 Official Patch 25
Next by thread: Re: Bash-4.3 Official Patch 25
Index(es):
- Date
- Thread