Date: Fri, 26 Sep 2014 15:11:59 +0200 From: Guido Berhoerster <gber@...nsuse.org> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) * Florian Weimer <fweimer@...hat.com> [2014-09-26 13:33]: > On 09/26/2014 10:54 AM, Mark R Bannister wrote: > I agree this looks scary at first glance, but we discussed this > previously, see for example: > > <http://www.openwall.com/lists/oss-security/2014/09/24/20> > > Shell scripts derive part of their power and flexibility from their > openness to the execution environment. You can tweak PATH, BASH_ENV > (or ENV for other Bourne-like shells), IFS, HOME, and many other > variables to change behavior. There are even more knobs to affect > the behavior of the external commands almost all shell scripts call > when they run. > > This makes them not suitable at all for writing SUID programs or > other code that runs in untrusted environments. This is > well-documented, and given the amount of shell scripts out there > which rely on these aspects of the UNIX shell design, it's not > something we can change, particularly not as part of a security > update which system administrators are more or less forced to > install. > > In your specific example, you can achieve the same effect by setting > PATH to a directory with a customer ls program, or by setting > BASH_ENV to a file which contains a definition of a function called > ls. I strong disagree that, there is a big difference in that a script can (and should) be able to obtain a sane environment by resetting stuff like PATH, BASH_ENV, IFS. The issue is also not about flexibility to override commands with functions or the ability to export them, rather it is the apparently undocumented implementation mixing data and code by storing the functions in the environment which is total and utter crap even by the standards of 20 years ago and it is just a matter of time until the next parser bug comes up. > Overriding external programs with shell functions in such a way has > to be supported. Otherwise, scripts which define shell functions > would break if the system administrator installs new software which > happens to include a program of the same name of the shell function. That is orthogonal to the implementation of exported functions. -- Guido Berhoerster
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.