From: | Walter Dnes <waltdnes@××××××××.org> |
---|---|
To: | Gentoo Users List <gentoo-user@l.g.o> |
Subject: | [gentoo-user] [Security] Update bash *NOW* |
Date: | Thu, 25 Sep 2014 01:59:02 |
Message-Id: | 20140925015844.GA21952@waltdnes.org |
1 | Slashdot article http://linux.slashdot.org/story/14/09/24/1638207/remote-exploit-vulnerability-found-in-bash |
2 | |
3 | Story at http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html |
4 | |
5 | CVE ID CVE-2014-6271 at http://seclists.org/oss-sec/2014/q3/650 |
6 | |
7 | Summary... bash scripts, CGI, perl via "system()", and various other |
8 | "commands" invoke a bash shell at times, passing environmental variables |
9 | in the process. Problem is that an "environmental variable" ***CAN |
10 | CONTAIN A FUNCTION DEFINITION, AND EXECUTE IT WHILST SPAWNING A NEW |
11 | SHELL***. E.g. execute the command... |
12 | |
13 | env x='() { :;}; echo vulnerable' bash -c "echo this is a test" |
14 | |
15 | ...and you get the following... |
16 | |
17 | vulnerable |
18 | this is a test |
19 | |
20 | Replace... |
21 | |
22 | x='() { :;}; echo vulnerable' |
23 | |
24 | ...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48 |
25 | has been pushed to Gentoo stable. The same "env" command results in... |
26 | |
27 | bash: warning: x: ignoring function definition attempt |
28 | bash: error importing function definition for `x' |
29 | this is a test |
30 | |
31 | |
32 | -- |
33 | Walter Dnes <waltdnes@××××××××.org> |
34 | I don't run "desktop environments"; I run useful applications |
Subject | Author |
---|---|
Re: [gentoo-user] [Security] Update bash *NOW* | Kerin Millar <kerframil@×××××××××××.uk> |