Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 24 Sep 2014 23:01:34 -0400
From: Chet Ramey <chet.ramey@...e.edu>
To: Solar Designer <solar@...nwall.com>, oss-security@...ts.openwall.com
CC: chet.ramey@...e.edu
Subject: Re: CVE-2014-6271: remote code execution through bash

On 9/24/14, 9:30 PM, Solar Designer wrote:

>>>>> The bash patch seems incomplete to me, function parsing is still
>>>>> brittle. e.g. $ env X='() { (a)=>\' sh -c "echo date"; cat echo
>>>>
>>>> Thanks for bringing this to oss-security.  I've added CC to Chet and
>>>> Tavis on this "reply".
>>>
>>> I have a fix for this.
>>
>> Can you provide a pointer to the patch?  I put together a patch that
>> changed the report_error() to fatal_error() as I wasn't able to see
>> how to reset the parser state.  Was just about to send it out...
> 
> I think Chet is not on oss-security - we should be CC'ing him where
> appropriate.  (I've added the CC on this reply.)

Here's the patch.  It's not specific to this vulnerability -- I can get
it to work from at least one other code path.  Please take a look and
see if you can bypass it.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@...e.edu    http://cnswww.cns.cwru.edu/~chet/

*** ../bash-20140912/parse.y	2014-08-26 15:09:42.000000000 -0400
--- parse.y	2014-09-24 22:47:28.000000000 -0400
***************
*** 2959,2962 ****
--- 2959,2964 ----
    word_desc_to_read = (WORD_DESC *)NULL;
  
+   eol_ungetc_lookahead = 0;
+ 
    current_token = '\n';		/* XXX */
    last_read_token = '\n';

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ