Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 29 Sep 2014 22:02:07 -0400
From: Chet Ramey <>
To: "Kobrin, Eric" <>,
        "" <>
Subject: Re: Re: CVE-2014-6271: remote code execution through
 bash (3rd vulnerability)

On 9/29/14, 11:42 AM, Kobrin, Eric wrote:
> On Sep 29, 2014, at 10:33 AM, Chet Ramey <> wrote:
>> If that is the command you ran, this doesn't show any vulnerability. 
> I've seen quite a few examples like this which don't do precisely what the submitter thought.
> I hope this isn't another such example:
> $ env $'BASH_FUNC_\nfoo%%=() { echo 123\n }' ./bash -c 'foo'
> ./bash: error importing function definition for `
> foo'
> 123
> This doesn't seem like desired behavior.

It's not desired behavior, but it's not exactly a security problem either.
I have a fix.


``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ