Re: CVE-2014-6271: remote code execution through bash

[christos () zoulas com (Christos Zoulas)]

On Sep 25,  8:15pm, solar () openwall com (Solar Designer) wrote:
-- Subject: Re: [oss-security] CVE-2014-6271: remote code execution through b

| There's obviously a trade-off here.  I agree that keeping the error
| messages is the right thing if we can keep them contained to local usage
| (and local attack) scenarios under typical setups.  I think applying
| Florian's prefix-suffix patch will achieve that (besides its main goal
| of actually mitigating most attacks).
| 
| What do you think of distros' going with Florian's prefix-suffix patch
| right now?  I think it breaks function imports/exports between
| pre-patch and post-patch bash versions, but keeps them intact for
| patched versions.  Right?  If so, this sounds acceptable for immediate
| use by distros.  Do you agree?

I think that at this point the only salvation is to disable function
import by default and provide a command line flag and a "set" flag
to explicitly enable it (so that scripts that depend on it can
easily be fixed). It is not a widely used feature, and both subshells
and sourced scripts don't need it or use it. It might have seemed
like a good idea a couple of decades ago, but it needs to go.

christos