oss-sec mailing list archives
Re: CVE-2014-6271: remote code execution through bash
From: Chet Ramey <chet.ramey () case edu>
Date: Sat, 27 Sep 2014 21:39:19 -0400
On 9/27/14, 2:17 PM, Chet Ramey wrote:
On 9/27/14, 10:28 AM, Tavis Ormandy wrote:It does look bad, but are you sold on the prefix/suffix solution Chet? That will at least mean these are not security issues.Yes. I have no problems worth mentioning with the exported function encoding approach. I have attached patches implementing it that can be applied to bash versions from bash-2.05b to bash-4.3. Please take a look, make sure they can be applied cleanly, and so on. There is another discussion worth having before officially releasing these, which I will do later today.
OK, here are the more-or-less final versions of the patches for bash-2.05b through bash-4.3. I made two changes from earlier today: the function export suffix is now `%%', which is not part of a the set of valid variable name characters but avoids any potential problems with including shell metacharacters in the name; and this version refuses to import shell functions whose name contains a slash, for reasons I discussed earlier. Please let me know if you have any issues with these. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRU chet () case edu http://cnswww.cns.cwru.edu/~chet/
Attachment:
funcexport-encode-2.05b.patch
Description:
Attachment:
funcexport-encode-3.0.patch
Description:
Attachment:
funcexport-encode-3.1.patch
Description:
Attachment:
funcexport-encode-3.2.patch
Description:
Attachment:
funcexport-encode-4.0.patch
Description:
Attachment:
funcexport-encode-4.1.patch
Description:
Attachment:
funcexport-encode-4.2.patch
Description:
Attachment:
funcexport-encode-4.3.patch
Description:
Current thread:
- Re: CVE-2014-6271: remote code execution through bash, (continued)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Huzaifa Sidhpurwala (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 26)
- Re: CVE-2014-6271: remote code execution through bash David A. Wheeler (Sep 26)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 29)
- Re: CVE-2014-6271: remote code execution through bash Hanno Böck (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 28)
- Healing the bash fork (was: Re: [oss-security] CVE-2014-6271: remote code execution through bash) Florian Weimer (Sep 29)
- Re: Healing the bash fork Eric Blake (Sep 29)
- Re: Healing the bash fork Kobrin, Eric (Sep 29)
- Re: Healing the bash fork Tavis Ormandy (Sep 29)