oss-sec mailing list archives
Re: CVE-2014-6271: remote code execution through bash
From: Chet Ramey <chet.ramey () case edu>
Date: Thu, 25 Sep 2014 11:36:24 -0400
On 9/24/14, 8:14 PM, Solar Designer wrote:
On Wed, Sep 24, 2014 at 03:12:08PM -0400, Chet Ramey wrote:There are several options for making shell functions inherited via the environment more robust, none of them backwards compatible. I will choose one and implement it for a future bash version. The leading candidates both raise the bar by requiring a potential attacker to be able to create arbitrarily-named environment variables as well as environment variables with specific values. I considered (and implemented) a blacklist approach that would have protected against a set of commonly-named variables (HTTP_*, CGI_*, SSH_*, LC_*, and so on), but the consensus was that that was too easily circumvented. I removed it from the distributed patches.What about no longer inheriting functions with names that don't contain any lowercase letters?
It's a heuristic like any other, but I think it's even more obscure and mysterious than the other suggestions. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRU chet () case edu http://cnswww.cns.cwru.edu/~chet/
Current thread:
- Re: CVE-2014-6271: remote code execution through bash, (continued)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Jason Cooper (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Jason Cooper (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Jason Cooper (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Huzaifa Sidhpurwala (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 26)
- Re: CVE-2014-6271: remote code execution through bash David A. Wheeler (Sep 26)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)