Date: Fri, 26 Sep 2014 02:35:20 -0700 From: Dwayne Litzenberger <dlitz@...tz.net> To: oss-security@...ts.openwall.com Cc: chet.ramey@...e.edu Subject: Re: CVE-2014-6271: remote code execution through bash For folks like me who are running production systems that don't need exported functions at all, I've hacked together a little wrapper that just refuses to run bash if any environment variable's value starts with a left-paren: https://github.com/dlitz/bash-shellshock TL;DR: $ ls -l /bin/bash* lrwxrwxrwx 1 root root 20 Sep 26 01:12 /bin/bash -> /bin/bash-shellshock -rwxr-xr-x 1 root root 1029624 Sep 24 11:51 /bin/bash.real -rwxr-xr-x 1 root root 10368 Sep 26 00:32 /bin/bash-shellshock $ XX=1 XXX='(hello' /bin/bash -c env bash-shellshock: Refusing to start due to possibly unsafe environment variable (see syslog) It also supports log-only and variable-stripping modes, configurable system-wide. I've made binary .deb packages for Debian and Ubuntu, for anyone foolish enough to trust me. (If you've ever run "sudo pip install pycrypto", then you're already that foolish. ;) Tags and SHA256SUMS.asc files are signed using my OpenPGP key. -- Dwayne C. Litzenberger <dlitz@...tz.net> OpenPGP: 19E1 1FE8 B3CF F273 ED17 4A24 928C EC13 39C2 5CF7 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ