oss-sec mailing list archives

Re: CVE-2014-6271: remote code execution through bash

From: gremlin () gremlin ru
Date: Wed, 24 Sep 2014 20:32:42 +0400

On 24-Sep-2014 22:01:50 +0600, Alexander E. Patrakov wrote:

I see no good workaround. Starting the forced command with
"unset >SSH_ORIGINAL_COMMAND &&" does not help - we'd need
to unset the variable before starting bash, not from bash.

Won't installing dash and setting the shell of users who have
forced commands to dash mitigate this somehow?


Possibly, that will require making /bin/sh symlink to point at
dash (or zsh, or whatever) as well...


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net

Current thread:

CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
  - Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
  - Re: CVE-2014-6271: remote code execution through bash Henri Salo (Sep 24)
  - Re: CVE-2014-6271: remote code execution through bash Alexander E. Patrakov (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash gremlin (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Tim (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Rich Felker (Sep 25)
  - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash mancha (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Alan J. Wylie (Sep 26)
  - Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)

(Thread continues...)