Re: Bash Bug

[hno () HEM PASSAGEN SE (Henrik Nordstrom)]

This is a multi-part message in MIME format.

--------------66607E916DEA1D8D622D5F08
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Shadow wrote:

> mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
>
> and someone cd's into said directory, either by accident, or whatever,
> then it will cause it to actually execute.

It is a vulnerability of the prompt parsing, or more specifically the \w
or \W prompt escapes for showing the current directory. These get parsed
before backquote parsing of the prompt string.

Workaround: Make sure the variable PS1 is set to something not including
the above escapes when cd'ing into directories with backquotes or $ as
part of their name.

Patch for bash-1.14.7 attached.

bug-bash () prep ai mit edu has been notified.

--
Henrik Nordstrom

--------------66607E916DEA1D8D622D5F08
Content-Type: text/plain; charset=us-ascii; name="bash_prompt.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="bash_prompt.diff"

--- parse.y.orig        Thu Apr 22 11:53:01 1999
+++ parse.y     Thu Apr 22 12:56:34 1999
@@ -2729,6 +2729,17 @@
 #else
                getwd (t_string);
 #endif /* EFFICIENT */
+               if (strcspn(t_string, slashify_in_quotes) < strlen(t_string)) {
+                   char t_string2[MAXPATHLEN];
+                   int i, j;
+                   for (i = 0, j = 0 ; t_string[i] && j < MAXPATHLEN - 2 ; i++) {
+                       if (member(t_string[i], slashify_in_quotes))
+                           t_string2[j++] = '\\';
+                       t_string2[j++] = t_string[i];
+                   }
+                   t_string2[j] = '\0';
+                   strcpy(t_string, t_string2);
+               }

                if (c == 'W')
                  {

--------------66607E916DEA1D8D622D5F08--