bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2014-7169 vs CVE-2014-6271


From: Alan Wild
Subject: Re: CVE-2014-7169 vs CVE-2014-6271
Date: Fri, 26 Sep 2014 15:57:01 -0500

I want to apologize for adding more confusion to this issue.  My statements
about CVE-2014-7169 where incorrect and misguided.  This change does not
remove function exporting but only changes how the function names are
encoded as variable names.
Because the published CVE-2014-6271 vulnerability test used "env" to create
a function outside of bash, I continued to follow this pattern to design
other tests.  I didn't realize that purposed of CVE-2014-7169 was not to
remove accepting functions from the environment but removing functions that
were created externally (as the vulnerability test did and as I continued
to do blindly).

Now that I understand, here's a better test showing it still works on a
machine with CVE-2014-7169:

-bash-3.2$ bash -c 'x() { echo "functions still work" "$@"; }; export -f x;
x normally; (x from a subshell; ); /bin/bash -c "x through the environment"'
functions still work normally
functions still work from a subshell
functions still work through the environment
If it helps reduce the confusion, machines with the older bash releases or
CVE-2014-6271 would export a function as follows:

-bash-3.2$ bash -c 'x() { echo "functions still work" "$@"; }; export -f x;
env | egrep "functions still work"'
x=() {  echo "functions still work" "$@"
but after the patch you get

-bash-3.2$ bash -c 'x() { echo "functions still work" "$@"; }; export -f x;
env | egrep "functions still work"'
BASH_FUNC_x()=() {  echo "functions still work" "$@"
-Alan


On Fri, Sep 26, 2014 at 12:06 PM, Alan Wild <alan@madllama.net> wrote:

> Not that I get a "vote", but if I did... I'm completely supportive of
> dropping function "importing" support when bash is invoked as /bin/sh (or
> --posix).  This is clearly bash-specific functionality that isn't needed
> for POSIX-compliance.  Seams like a much more reasonable middle-ground then
> pulling it altogether.
>
> -Alan
>
> On Fri, Sep 26, 2014 at 11:58 AM, Alan Wild <alan@madllama.net> wrote:
>
>> I've been searching for some clarification on these two "fixes" and I'm
>> utterly confused.  I've been lead to believe RedHat's first patch (6271) is
>> based on code from Chet that just causes bash to reject functions where
>> code appears outside of the function body.
>>
>> However, this patch was labeled as "insufficient" and 7169 now appears to
>> completely remove the ability to receive function definitions from the
>> environment.
>>
>> I have production code that requires function exporting that's going to
>> be broken by 7169.  Is this some knee-jerk reaction by just RedHat or is
>> this a revised patch from Chet marking a change in bash functionality?
>>
>> My company's cybersecurity folks are pushing to install 7169 as soon as
>> possible and while I'm trying to push back I need to know if this a
>> strategic change in direction for bash, RHEL, or what, exactly.  (Because I
>> need to know how extensively I need to reachitect my application).
>>
>> -Alan
>>
>> --
>> alan@madllama.net http://humbleville.blogspot.com
>>
>
>
>
> --
> alan@madllama.net http://humbleville.blogspot.com
>



-- 
alan@madllama.net http://humbleville.blogspot.com


reply via email to

[Prev in Thread] Current Thread [Next in Thread]