Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 26 Sep 2014 02:35:20 -0700
From: Dwayne Litzenberger <dlitz@...tz.net>
To: oss-security@...ts.openwall.com
Cc: chet.ramey@...e.edu
Subject: Re: CVE-2014-6271: remote code execution through bash

For folks like me who are running production systems that don't need 
exported functions at all, I've hacked together a little wrapper that 
just refuses to run bash if any environment variable's value starts with 
a left-paren:

    https://github.com/dlitz/bash-shellshock

TL;DR:

    $ ls -l /bin/bash*
    lrwxrwxrwx 1 root root      20 Sep 26 01:12 /bin/bash -> /bin/bash-shellshock
    -rwxr-xr-x 1 root root 1029624 Sep 24 11:51 /bin/bash.real
    -rwxr-xr-x 1 root root   10368 Sep 26 00:32 /bin/bash-shellshock

    $ XX=1 XXX='(hello' /bin/bash -c env
    bash-shellshock: Refusing to start due to possibly unsafe environment variable (see syslog)

It also supports log-only and variable-stripping modes, configurable 
system-wide.

I've made binary .deb packages for Debian and Ubuntu, for anyone foolish 
enough to trust me.  (If you've ever run "sudo pip install pycrypto", 
then you're already that foolish. ;)

Tags and SHA256SUMS.asc files are signed using my OpenPGP key.

-- 
Dwayne C. Litzenberger <dlitz@...tz.net>
 OpenPGP: 19E1 1FE8 B3CF F273 ED17  4A24 928C EC13 39C2 5CF7

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ