[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CERT/NIST reveal level 10 bash alert today, 24 September 2014
From: |
Alexandre Ferrieux |
Subject: |
CERT/NIST reveal level 10 bash alert today, 24 September 2014 |
Date: |
Thu, 25 Sep 2014 16:48:09 +0200 |
Is the response (workarounds and patch) being discussed elsewhere ?
(1) Patch
Looking at the code, it seems that the problem is that in
initialize_shell_variables(), when an inheritable function is detected in
the environment by the "() {" prefix, we then directly
call parse_and_execute(), on the whole string.
Obviously this includes any trailing commands after "} ;". A proper fix
would need to tweak the parser to do a parse_and_execute_one_command().
Anybody already working along those lines ?
(2) Workaround
Privileged mode skips the import of functions from the environment, hence
"#! /bin/bash -p" is a quick fix.
I assume that 99.9% of uses would be unaffected by the other side-effects
of -p.
Am I missing something ?
-Alex