oss-sec mailing list archives

Re: CVE-2014-6271: remote code execution through bash

From: Pierre Schweitzer <pierre () reactos org>
Date: Wed, 24 Sep 2014 21:39:37 +0200


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Naive question regarding statement below. Does that mean that exec*()
system calls are concerned as well (like for instance called from a fork())?

Regards,

On 24/09/2014 18:23, Michal Zalewski wrote:

Note that on Linux systems where /bin/sh is symlinked to /bin/bash,
any popen() / system() calls from within languages such as PHP would
be of concern due to the ability to control HTTP_* in the env.

/mz



- -- 
Pierre Schweitzer <pierre at reactos.org>
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUIx35AAoJEHVFVWw9WFsLU7QP/3E77YP5Arh3UMrTYYd0ylfa
r/L0k4t9/OSs9fg1GWsr6GP+Jma82y61uavFnE9LglAEY2A5hEkFdCWuPm6r2d58
iOJVaCUdZH8x0NyM6nMmvnG0GKMyQgn9LyzKMeHTUmChIIscYaL22RGq2wI/Bm2N
xk04VpxXM/kgdRhGUlKqmahEEskLeiSZlbfhKCT+4WXptFdOIdcAlIg3UW13QPk5
EO0neFqbsLZLWYz/a4CAVoANt8UFUhSrceH/2sk0ObEWoGMcZIiZ0vsWfogO8y6s
J0BnZZDq81seUU4QoRw1/BwMh6zh6SmlH3cw2wPyoq2qC4mBBdYCrxBlamd9cFyY
A20MUZ5xXudZhZNlWv7Y7kKemoH0qQDT9xja7vvWvl95h1bNhTLoJKr/gfUQY56e
BBo7nNXKXtpXEtoVbfd3hTt7reXLjqlqpmLdmClgGM9JotKS7JCiOpytibqW7pOn
UKL00tUlBkcp2dYREegy0X+Rli8OOAJXTm0g+yvOiglMM1hXG067hkLDwZnQraOF
0/WZWOFfMSCHbciZYbIgP4ptQTHomWS5vy0ukZ+rGy3th/fXlAwb1Kv7PcmByD6+
WXBSngDlR85v+DYJjaWqtQIudMudfm0Z/s08jBJtUI83LjPWQeHtv0STXx5JVtS8
HP5Bbv53yyPzBuWSSRYf
=Oavc
-----END PGP SIGNATURE-----

Current thread:

Re: CVE-2014-6271: remote code execution through bash, (continued)
- - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash mancha (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Alan J. Wylie (Sep 26)
  - Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Hanno Böck (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Pierre Schweitzer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash gremlin (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
  - Re: CVE-2014-6271: remote code execution through bash Jason Cooper (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Jason Cooper (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Jason Cooper (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
  - Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)

(Thread continues...)