Re: CVE-2014-6271: remote code execution through bash

[mancha <mancha1 () zoho com>]

On Wed, Sep 24, 2014 at 12:08:46PM -0400, Chet Ramey wrote:
> On 9/24/14, 11:16 AM, Solar Designer wrote:
>
> > I see no good workaround. 
>
> You're correct; there is not a good workaround.  Since there are
> publicly available patches for all bash versions back 15 years or so,
> though, the best path forward is to apply those as quickly as
> possible.
>
> Chet

Hello Chet et al.

While taking a closer look at this issue on Bash 4.2, I noticed a
potential NULL deref. i.e.

  $ FOO='() { :;}; blah4242' bash -c "echo bleh"

This occurs in bgp_prune() where, because bgpids.npid=0 and
js_c_childmax=-1, the code in the loop executes but bgpids.list=NULL.

I didn't look closely enough to know if this situation is only reachable
via the recently-fixed vulnerable code-path or not.

--mancha

Attachment: _bin
Description: