oss-sec mailing list archives
Re: Array importing in bash 4.3 (was: Re: [oss-security] Fwd: Non-upstream patches for bash)
From: "Kobrin, Eric" <ekobrin () akamai com>
Date: Mon, 29 Sep 2014 10:47:32 -0500
On Sep 29, 2014, at 10:42 AM, Florian Weimer <fweimer () redhat com> wrote:
From: Florian Weimer <fweimer () redhat com> Note that if you ship 4.3, you might want to reevaluate a decision to enable array variable import from the environment.I changed the subject because I'm sure this parenthetical comment got lost. Fortunately, in bash 4.3 (patchlevel 25), you cannot just -DARRAY_EXPORT and get array variable import/export. The code doesn't compile, and if you fix that, it does not link, and if you fix that, well, you end up with the following issue. But I doubt anybody has done this, so it's not a vulnerability (yet) and does not need CVE assignment etc. The array import/export feature allows one to export and import variables while preserving their array status. Unfortunately, it enables this: $ env -i 'FOO=([$(echo broken > /dev/tty)]=a)' ./bash -c true broken ./bash: []=a: bad array subscript As I said, it is currently not an issue, but it's probably best not to enable this in the future at all, or use it with another form of mangling. -- Florian Weimer / Red Hat Product Security
This code also reveals a difference from the function export code. The ARRAY_EXPORT code frees temp_string after using it. The function export code mallocs, but never frees it. That behavior predates the recent patches. -- Eric Kobrin
Current thread:
- Re: Fwd: Non-upstream patches for bash, (continued)
- Re: Fwd: Non-upstream patches for bash Chet Ramey (Sep 29)
- Re: Fwd: Non-upstream patches for bash Marc Deslauriers (Sep 25)
- Re: Fwd: Non-upstream patches for bash Marc Deslauriers (Sep 25)
- Re: [security-vendor] Re: [oss-security] Fwd: Non-upstream patches for bash Mark Hatle (Sep 26)
- Re: Fwd: Non-upstream patches for bash cve-assign (Sep 25)
- Re: Fwd: Non-upstream patches for bash Hanno Böck (Sep 26)
- Re: Non-upstream patches for bash Ángel González (Sep 26)
- Re: Re: Non-upstream patches for bash John Haxby (Sep 26)
- Re: Re: Non-upstream patches for bash Ángel González (Sep 26)
- Re: Re: Non-upstream patches for bash John Haxby (Sep 26)
- Array importing in bash 4.3 (was: Re: [oss-security] Fwd: Non-upstream patches for bash) Florian Weimer (Sep 29)
- Re: Array importing in bash 4.3 (was: Re: [oss-security] Fwd: Non-upstream patches for bash) Kobrin, Eric (Sep 29)
- Re: Array importing in bash 4.3 Florian Weimer (Sep 29)
- Re: Array importing in bash 4.3 Kobrin, Eric (Sep 29)
- Re: Array importing in bash 4.3 (was: Re: [oss-security] Fwd: Non-upstream patches for bash) Kobrin, Eric (Sep 29)
- Re: Array importing in bash 4.3 Chet Ramey (Sep 29)