oss-sec mailing list archives
Re: Fwd: Non-upstream patches for bash
From: Chet Ramey <chet.ramey () case edu>
Date: Sun, 19 Oct 2014 17:34:14 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/29/14 11:44 AM, cve-assign () mitre org wrote:
the parser is not locale-agnostic. Here's an example how it can be exploited: http://bugs.python.org/issue22187
That's not actually an exploit, or even a bug.
The discussion in Issue22187 is about changing code in Python 2.x to work around this. However, is it useful to assign one new CVE-2014-#### ID for Bash, on the expectation that Bash was intended to recognize valid characters in zh_CN.GBK, but instead is identifying part of a two-byte character as a \ character, and this has security implications for products that attempt to do otherwise-correct quoting of untrusted strings for use in sh commands?
This is exactly the opposite of what is happening. The test in the link (message 226439) shows that bash and ksh are properly reading valid multibyte characters in the input and not treating backslashes that are the second byte of a multibyte character as escape characters. The other shells, presumably not multibyte-character-aware at all, incorrectly allow that backslash to escape the closing double quote. Posix is very careful to specify that the shell reads characters, and uses characters when deciding how to tokenize the input, instead of bytes. If those characters are multibyte, the shell is expected to read multiple bytes. Are you proposing that a multibyte character whose second byte happens to be a `|' should start a pipeline? Chet - -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRU chet () case edu http://cnswww.cns.cwru.edu/~chet/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlRELlYACgkQu1hp8GTqdKtEsACfYyDVqQoaC2gTjQZhHTXWlSV3 iAsAn3EQrDeHo3ldByfbYgrGixYgZL+B =kgf1 -----END PGP SIGNATURE-----
Current thread:
- Re: Fwd: Non-upstream patches for bash Chet Ramey (Oct 19)