Re: CVE-2014-6271: remote code execution through bash

[Chet Ramey <chet.ramey () case edu>]

On 9/27/14, 2:17 PM, Chet Ramey wrote:
> On 9/27/14, 10:28 AM, Tavis Ormandy wrote:
>
> > It does look bad, but are you sold on the prefix/suffix solution Chet?
> > That will at least mean these are not security issues.
>
> Yes.  I have no problems worth mentioning with the exported function
> encoding approach.  I have attached patches implementing it that can
> be applied to bash versions from bash-2.05b to bash-4.3.  Please take
> a look, make sure they can be applied cleanly, and so on.
>
> There is another discussion worth having before officially releasing
> these, which I will do later today.

OK, here are the more-or-less final versions of the patches for bash-2.05b
through bash-4.3.  I made two changes from earlier today: the function
export suffix is now `%%', which is not part of a the set of valid variable
name characters but avoids any potential problems with including
shell metacharacters in the name; and this version refuses to import shell
functions whose name contains a slash, for reasons I discussed earlier.

Please let me know if you have any issues with these.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet () case edu    http://cnswww.cns.cwru.edu/~chet/

Attachment: funcexport-encode-2.05b.patch
Description:

Attachment: funcexport-encode-3.0.patch
Description:

Attachment: funcexport-encode-3.1.patch
Description:

Attachment: funcexport-encode-3.2.patch
Description:

Attachment: funcexport-encode-4.0.patch
Description:

Attachment: funcexport-encode-4.1.patch
Description:

Attachment: funcexport-encode-4.2.patch
Description:

Attachment: funcexport-encode-4.3.patch
Description: