oss-sec mailing list archives
Re: CVE-2014-6271: remote code execution through bash
From: Chet Ramey <chet.ramey () case edu>
Date: Sat, 27 Sep 2014 16:09:51 -0400
On 9/27/14, 3:39 PM, Michal Zalewski wrote:
STD::what::does::this::doWe ran into this problem with the original patch at Google, but TBH, we've just bitten the bullet. I'm not sure how hard we should try to accommodate outliers like this specifically for functions - as far as I can tell, you can't really get away with meaningfully using colons in variable names, right? But if you just want to minimize breakage without getting into existential discussions, wouldn't wihtelisting : and perhaps periods and - going out on a limb - brackets be good enough?
We already make function names and variable names different, so there's no going back -- variable names have the usual restrictions, but with function names it's essentially anything goes. Since we would be going from essentially anything goes to a very small set of acceptable exceptions, I can see a steady stream of "I used to be able to use character X in my function names and can't now." Frankly, the really dangerous one is `/', since it allows you to circumvent scripts that attempt to use full pathnames to bypass shell function lookups. I am more interested in other dangerous characters, the existential debate between whitelists and blacklists notwithstanding. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRU chet () case edu http://cnswww.cns.cwru.edu/~chet/
Current thread:
- Re: CVE-2014-6271: remote code execution through bash, (continued)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Huzaifa Sidhpurwala (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 26)
- Re: CVE-2014-6271: remote code execution through bash David A. Wheeler (Sep 26)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 29)
- Re: CVE-2014-6271: remote code execution through bash Hanno Böck (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 28)
- Healing the bash fork (was: Re: [oss-security] CVE-2014-6271: remote code execution through bash) Florian Weimer (Sep 29)
- Re: Healing the bash fork Eric Blake (Sep 29)
- Re: Healing the bash fork Kobrin, Eric (Sep 29)