oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2014-6271: remote code execution through bash

From: Chet Ramey <chet.ramey () case edu>
Date: Thu, 25 Sep 2014 11:36:24 -0400
On 9/24/14, 8:14 PM, Solar Designer wrote:

On Wed, Sep 24, 2014 at 03:12:08PM -0400, Chet Ramey wrote:

There are several options for making shell functions inherited via the
environment more robust, none of them backwards compatible.  I will
choose one and implement it for a future bash version.

The leading candidates both raise the bar by requiring a potential
attacker to be able to create arbitrarily-named environment variables as
well as environment variables with specific values.

I considered (and implemented) a blacklist approach that would have
protected against a set of commonly-named variables (HTTP_*, CGI_*,
SSH_*, LC_*, and so on), but the consensus was that that was too easily
circumvented.  I removed it from the distributed patches.


What about no longer inheriting functions with names that don't contain
any lowercase letters?


It's a heuristic like any other, but I think it's even more obscure and
mysterious than the other suggestions.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet () case edu    http://cnswww.cns.cwru.edu/~chet/
Previous By Date Next
Previous By Thread Next

Current thread: