oss-sec mailing list archives

Re: CVE-2014-6271: remote code execution through bash

From: Chet Ramey <chet.ramey () case edu>
Date: Sat, 27 Sep 2014 14:20:36 -0400

On 9/27/14, 2:17 PM, Chet Ramey wrote:

So what's your opinion on the appropriate set of restrictions? This is a
question that goes farther than what a particular shell will import,
since I'm going to align the restrictions on what functions a shell will
import from the environment with what functions that shell will let a
user define.  That means that a posix-mode shell will require imported
functions to be valid identifiers, but a non-posix mode shell will allow
words.  The original check that was in bash-4.3 does this.  What additional
checks should there be? I can see starting with rejecting function names
that can be confused with pathnames.

Please chime in and let me know what you think.


Sorry, I should have added that I'm not interested in rehashing decisions
that were made 25 years ago, and I am completely aware that this "violates"
Posix.  (That's why it doesn't do this in posix mode.)

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet () case edu    http://cnswww.cns.cwru.edu/~chet/

Current thread:

Re: CVE-2014-6271: remote code execution through bash, (continued)
- - Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Huzaifa Sidhpurwala (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 26)
    - Re: CVE-2014-6271: remote code execution through bash David A. Wheeler (Sep 26)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 29)
    - Re: CVE-2014-6271: remote code execution through bash Hanno Böck (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 28)
    - Healing the bash fork (was: Re: [oss-security] CVE-2014-6271: remote code execution through bash) Florian Weimer (Sep 29)

(Thread continues...)