oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2014-6271: remote code execution through bash

From: Chet Ramey <chet.ramey () case edu>
Date: Thu, 25 Sep 2014 21:07:07 -0400
On 9/24/14, 9:30 PM, Solar Designer wrote:

On Wed, Sep 24, 2014 at 06:26:53PM -0700, Anthony Liguori wrote:

On Wed, Sep 24, 2014 at 6:23 PM, Chet Ramey <chet.ramey () case edu> wrote:

On 9/24/14, 5:32 PM, Solar Designer wrote:

On Wed, Sep 24, 2014 at 11:27:09PM +0200, Hanno B??ck wrote:

Tavis Ormandy just tweetet this:
https://twitter.com/taviso/status/514887394294652929

The bash patch seems incomplete to me, function parsing is still
brittle. e.g. $ env X='() { (a)=>\' sh -c "echo date"; cat echo


Thanks for bringing this to oss-security.  I've added CC to Chet and
Tavis on this "reply".


I have a fix for this.


Can you provide a pointer to the patch?  I put together a patch that
changed the report_error() to fatal_error() as I wasn't able to see
how to reset the parser state.  Was just about to send it out...


I have positive confirmation that this patch works, so here are patches for
bash versions bash-2.05b to bash-4.3.

I will probably push these out tomorrow.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet () case edu    http://cnswww.cns.cwru.edu/~chet/

Attachment: bash205b-009
Description:

Attachment: bash30-018
Description:

Attachment: bash31-019
Description:

Attachment: bash32-053
Description:

Attachment: bash40-040
Description:

Attachment: bash41-013
Description:

Attachment: bash42-049
Description:

Attachment: bash43-026
Description:

Previous By Date Next
Previous By Thread Next

Current thread: