oss-sec mailing list archives
Re: Healing the bash fork
From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Mon, 29 Sep 2014 10:49:22 -0700
On 29 September 2014 10:39, Kobrin, Eric <ekobrin () akamai com> wrote:
On Sep 29, 2014, at 11:59 AM, Eric Blake <eblake () redhat com> wrote:But I see no reason to move away from %% suffixing.The suffix fixes the obvious CGI hole, but it leaves exposed programs in which the adversary gets to choose the variable name as well. env $'BASH_FUNC_foo%%=() { echo 123\n }' bash -c "foo" I think that a more robust solution, such using a separate store for functions, is needed if function import is to survive as a feature. -- Eric Kobrin
If an adversary can choose the variable name, it's game over by definition. He can choose LD_PRELOAD, SHELLOPTS='xtrace' PS4='$(foo)', LD_DEBUG_OUTPUT, PYTHONINSPECT, etc, etc. This general solution is robust, now we're just hammering out the details. -- ------------------------------------- taviso () cmpxchg8b com | pgp encrypted mail preferred -------------------------------------------------------
Current thread:
- Re: CVE-2014-6271: remote code execution through bash, (continued)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 29)
- Re: CVE-2014-6271: remote code execution through bash Hanno Böck (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 28)
- Healing the bash fork (was: Re: [oss-security] CVE-2014-6271: remote code execution through bash) Florian Weimer (Sep 29)
- Re: Healing the bash fork Eric Blake (Sep 29)
- Re: Healing the bash fork Kobrin, Eric (Sep 29)
- Re: Healing the bash fork Tavis Ormandy (Sep 29)
- Re: Healing the bash fork David A. Wheeler (Sep 29)
- Re: Healing the bash fork John Haxby (Sep 29)
- Re: Healing the bash fork Kobrin, Eric (Sep 29)
- Re: Healing the bash fork Chet Ramey (Sep 29)
- Re: Healing the bash fork gremlin (Sep 29)
- Re: Healing the bash fork Florian Weimer (Sep 30)
- Re: Healing the bash fork Gennady Kupava (Sep 30)
- Re: Healing the bash fork gremlin (Sep 30)
- Re: Healing the bash fork Kobrin, Eric (Sep 29)
- Re: Healing the bash fork Michal Zalewski (Sep 29)