Bugtraq mailing list archives
Re: Bug in bash <= 4.3 [security feature bypassed]
From: Hector Marco <hecmargi () upv es>
Date: Thu, 05 Jun 2014 23:13:11 +0200
On 05/06/14 12:02, Daryl Tester wrote:
On 03/06/14 23:46, Hector Marco wrote:Recently we discovered a bug in bash. After some time after reporting it to bash developers, it has not been fixed....Any comments about this issue are welcomed. Details at: http://hmarco.org/bugs/bash_4.3-setuid-bug.htmlI'm only going by the patch presented above, so ... 1. The program should be calling setgid() before setuid() (which is another common class of security mistake). 2. Why is exit() returning values greater than 255? It's not capable of doing that under (most) Unix environments.
a) I tried to patch by doing minimal changes to bash source code. Originally, the bash call first setuid() and later setgid(). And as you point this is not the best option. So, this code has actually 2 mistakes. I changed the patch code order calls, thanks, but anyway the patch achieve their goal, "avoid the bash
to be a valid target shell in an attack".b) I can imagine why you spent time writing about the patch and not about the
important point here which is the bug.
Current thread:
- Bug in bash <= 4.3 [security feature bypassed] Hector Marco (Jun 04)
- Re: [oss-security] Bug in bash <= 4.3 [security feature bypassed] Jose Carlos Luna Duran (Jun 04)
- Re: [FD] [oss-security] Bug in bash <= 4.3 [security feature bypassed] Hector Marco (Jun 05)
- Re: [FD] [oss-security] Bug in bash <= 4.3 [security feature bypassed] Jeffrey Walton (Jun 06)
- Re: [FD] [oss-security] Bug in bash <= 4.3 [security feature bypassed] lists (Jun 05)
- Re: [FD] [oss-security] Bug in bash <= 4.3 [security feature bypassed] Hector Marco (Jun 05)
- Re: Bug in bash <= 4.3 [security feature bypassed] Daryl Tester (Jun 05)
- Re: Bug in bash <= 4.3 [security feature bypassed] Hector Marco (Jun 06)
- Re: [oss-security] Bug in bash <= 4.3 [security feature bypassed] Jose Carlos Luna Duran (Jun 04)