oss-sec mailing list archives
Re: Healing the bash fork
From: "Kobrin, Eric" <ekobrin () akamai com>
Date: Mon, 29 Sep 2014 17:06:00 -0500
On Sep 29, 2014, at 2:50 PM, "David A. Wheeler" <dwheeler () dwheeler com> wrote:
On Mon, 29 Sep 2014 10:49:22 -0700, Tavis Ormandy <taviso () cmpxchg8b com> wrote:If an adversary can choose the variable name, it's game over by definition. He can choose LD_PRELOAD, SHELLOPTS='xtrace' PS4='$(foo)', ...I agree. If an adversary can arbitrary control the environment, it is definitely game over. What's more, this has been true for decades and this is *clearly* documented all over the place. If some program allows an untrusted user to control the content in arbitrary environment variables, that would be a security vulnerability in that other program, not in bash.
It was also a flaw in the other program when the adversary was able to set the values. That flaw is so prevalent that we now have these recent patches. My point is that we can tell the other people that they are using bash wrong, or we can take steps to make it harder to use unsafely. Introducing namespaces with prefixing and suffixing is fine for a quick patch, but I'd argue that it is too fragile for long term use. What is the motivation to not store executable code (functions) differently from standard variables? -- Eric Kobrin
Current thread:
- Re: CVE-2014-6271: remote code execution through bash, (continued)
- Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 29)
- Re: CVE-2014-6271: remote code execution through bash Hanno Böck (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 28)
- Healing the bash fork (was: Re: [oss-security] CVE-2014-6271: remote code execution through bash) Florian Weimer (Sep 29)
- Re: Healing the bash fork Eric Blake (Sep 29)
- Re: Healing the bash fork Kobrin, Eric (Sep 29)
- Re: Healing the bash fork Tavis Ormandy (Sep 29)
- Re: Healing the bash fork David A. Wheeler (Sep 29)
- Re: Healing the bash fork John Haxby (Sep 29)
- Re: Healing the bash fork Kobrin, Eric (Sep 29)
- Re: Healing the bash fork Chet Ramey (Sep 29)
- Re: Healing the bash fork gremlin (Sep 29)
- Re: Healing the bash fork Florian Weimer (Sep 30)
- Re: Healing the bash fork Gennady Kupava (Sep 30)
- Re: Healing the bash fork gremlin (Sep 30)
- Re: Healing the bash fork Kobrin, Eric (Sep 29)
- Re: Healing the bash fork Michal Zalewski (Sep 29)
- Re: Healing the bash fork Kobrin, Eric (Sep 30)
- Re: Re: Healing the bash fork Todd C. Miller (Sep 29)
- atd (was: Re: [oss-security] Re: Healing the bash fork) Seth Arnold (Sep 29)