Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Michal Zalewski <lcamtuf-QTaIpnqiE1Ffq8cQ1yknNg <at> public.gmane.org>
Subject: Re: CVE-2014-6271: remote code execution through bash
Newsgroups: gmane.comp.security.oss.general
Date: Wednesday 24th September 2014 18:54:18 UTC (over 2 years ago)
> My main concern with the current patch is that still exposes the bash
parser
> and function definition printer to attacks from the network. Bugs in
those
> fairly large components could cause another critical issue.

Yup, that surprised me when testing the patch, too - I can still get a
function called HTTP_COOKIE, for example. I worry about potential side
effects of parsing even in absence of parser bugs. In most
object-oriented languages, such side effects are practically
guaranteed. Bash may be saved by simplicity, but not sure how robust
that assumption is.

I've written more code in bash than I should have and never used
function exports, or even realized that they exist. I wonder if they
can be made optional (e.g., gated by a flag on the subprocess) without
breakage.

Another option may be to export them through specially prefixed
variables, which should be transparent but minimize the risk of
interfering with web servers and such.

/mz
 
CD: 2ms