oss-sec mailing list archives
Re: Healing the bash fork
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Mon, 29 Sep 2014 20:44:38 -0700
1. Is it necessary that functions exported in one version of bash be imported into other versions? 2. Is it necessary for exported functions to be able to transition through other processes and back into bash, or is function export intended to support bash-invoked-from-bash only?
In general, I suspect that the "is it necessary" part is somewhat moot. Very few things in bash are "necessary". But it's been there for a long time and it's clear that a small fraction of users have come to depend on the behavior. If we need to break that existing code to eliminate the risk, so be it; the feature is fairly obscure, so the damage will be limited. But if the prefix approach works fine, and nobody can come up with any compelling security-relevant reasons why it's a bad outcome... then what's the point of breaking existing scripts? I mean, all the arguments against the prefix approach boil down to "but if the attacker can set arbitrarily named variables to arbitrary values, then..." - and if that's something you allow across a security boundary, you're almost certainly in trouble no matter what. /mz
Current thread:
- Re: Healing the bash fork, (continued)
- Re: Healing the bash fork Tavis Ormandy (Sep 29)
- Re: Healing the bash fork David A. Wheeler (Sep 29)
- Re: Healing the bash fork John Haxby (Sep 29)
- Re: Healing the bash fork Kobrin, Eric (Sep 29)
- Re: Healing the bash fork Chet Ramey (Sep 29)
- Re: Healing the bash fork gremlin (Sep 29)
- Re: Healing the bash fork Florian Weimer (Sep 30)
- Re: Healing the bash fork Gennady Kupava (Sep 30)
- Re: Healing the bash fork gremlin (Sep 30)
- Re: Healing the bash fork Kobrin, Eric (Sep 29)
- Re: Healing the bash fork Michal Zalewski (Sep 29)
- Re: Healing the bash fork Kobrin, Eric (Sep 30)
- Re: Re: Healing the bash fork Todd C. Miller (Sep 29)
- atd (was: Re: [oss-security] Re: Healing the bash fork) Seth Arnold (Sep 29)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Christos Zoulas (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Tavis Ormandy (Sep 25)