oss-sec mailing list archives
Re: CVE-2014-6271: remote code execution through bash
From: Tim <tim-security () sentinelchicken org>
Date: Wed, 24 Sep 2014 09:42:53 -0700
>> I see no good workaround. Starting the forced command with >> "unset >SSH_ORIGINAL_COMMAND &&" does not help - we'd need >> to unset the variable before starting bash, not from bash. > Won't installing dash and setting the shell of users who have > forced commands to dash mitigate this somehow? Possibly, that will require making /bin/sh symlink to point at dash (or zsh, or whatever) as well...
Right, and it makes sense to do this. Bash doesn't belong as /bin/sh to begin with. It's slow to load, uses 5 times as much memory as dash and doesn't exactly encourage you to write posix-compliant shell scripts. Bash's redeeming qualities lie in it's UI, not in it's non-interactive scripting. tim
Current thread:
- CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Henri Salo (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Alexander E. Patrakov (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash gremlin (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Tim (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Rich Felker (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash mancha (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Alan J. Wylie (Sep 26)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Hanno Böck (Sep 24)