oss-sec mailing list archives
Re: Re: Non-upstream patches for bash
From: John Haxby <john.haxby () oracle com>
Date: Fri, 26 Sep 2014 11:47:49 +0100
On 26/09/14 01:23, Ángel González wrote:
Forwarding to the oss-security thread the patch I sent to bug-bash 1 hour ago. The trick here is to delay parsing of functions coming from the environment until they are actually needed. Thus extra code (CVE-2014-6271) or even a parsing vulnerability like CVE-2014-7169 won't be triggered unless you attempt to run the exported function (or you use a builtin such as declare or type that must print the code, things like type -t are safe to use).
Even with this?
type='() { echo hi there; }' bash
(Or the added stuff from Florian's patch).
I got myself into a right old mess by redefining declare, typeset, unset
and command.
It can be applied standalone (and remain compatible with older bash versions), or it could be combined with some of the other patches. It also makes bash more efficient by not parsing unused functions :) Although it passes the testsuite, it has only been lightly tested, don't install in your nuclear plant yet. 😉
Current thread:
- Re: Fwd: Non-upstream patches for bash, (continued)
- Re: Fwd: Non-upstream patches for bash Ed Prevost (Sep 29)
- Re: Fwd: Non-upstream patches for bash Jakub Wilk (Sep 29)
- Re: Fwd: Non-upstream patches for bash cve-assign (Sep 29)
- Re: Fwd: Non-upstream patches for bash Chet Ramey (Sep 29)
- Re: [security-vendor] Re: [oss-security] Fwd: Non-upstream patches for bash Mark Hatle (Sep 26)
- Re: Re: Non-upstream patches for bash John Haxby (Sep 26)
- Re: Re: Non-upstream patches for bash Ángel González (Sep 26)
- Re: Array importing in bash 4.3 (was: Re: [oss-security] Fwd: Non-upstream patches for bash) Kobrin, Eric (Sep 29)
- Re: Array importing in bash 4.3 Florian Weimer (Sep 29)
- Re: Array importing in bash 4.3 Kobrin, Eric (Sep 29)