oss-sec mailing list archives

Re: CVE-2014-6271: remote code execution through bash

From: Tavis Ormandy <taviso () google com>
Date: Thu, 25 Sep 2014 12:39:21 -0700

On Thu, Sep 25, 2014 at 12:18 PM, Chet Ramey <chet.ramey () case edu> wrote:

On 9/25/14, 12:15 PM, Solar Designer wrote:

What do you think of distros' going with Florian's prefix-suffix patch
right now?  I think it breaks function imports/exports between
pre-patch and post-patch bash versions, but keeps them intact for
patched versions.  Right?  If so, this sounds acceptable for immediate
use by distros.  Do you agree?


I haven't looked at that particular patch in detail yet, but I am wondering
why adding both a prefix and a suffix is better than just adding a prefix.


I think it's just paranoia, it demonstrates significant enough control
over the environment that it's unlikely someone could construct it via
a naive cgi environment or similar. If someone can create variables
with an arbitrary suffix and prefix, then there are likely bigger
problems to worry about than what bash is doing. FWIW, I like
Florian's approach.

Tavis.

Current thread:

Re: Healing the bash fork, (continued)
- - - Re: Healing the bash fork Michal Zalewski (Sep 29)
    - Re: Healing the bash fork Kobrin, Eric (Sep 30)
    - Re: Re: Healing the bash fork Todd C. Miller (Sep 29)
    - atd (was: Re: [oss-security] Re: Healing the bash fork) Seth Arnold (Sep 29)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Christos Zoulas (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Tavis Ormandy (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Hanno Böck (Sep 24)
  - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Anthony Liguori (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Huzaifa Sidhpurwala (Sep 24)

(Thread continues...)