Re: REGRESSION: shellshock patch rejects valid function names

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: REGRESSION: shellshock patch rejects valid function names

From:	Stephane Chazelas
Subject:	Re: REGRESSION: shellshock patch rejects valid function names
Date:	Tue, 30 Sep 2014 17:13:41 +0100
User-agent:	Mutt/1.5.23 (2014-03-12)

2014-09-30 17:06:22 +0100, Stephane Chazelas:
[...]
> Same with "export -p":
> 
> $ env -i $'a\necho test\na=b' ksh -c 'export -p' | ksh
> test
> 
> And bash is also vulnerable.
> 
> $ env -i $'a\necho test\na=b' bash -c 'export -p'
> declare -x OLDPWD
> declare -x PWD="/home/stephane"
> declare -x SHLVL="1"
> declare -x a
> echo test
> a
> 
> (that output doesn't make much sense, suggesting it may also
> hide more bugs and vulnerabilities).
[...]

Sorry, it does make sense. "bash" just outputs:

declare -x var-name

when var-name is not a valid identifier in the current locale.

Both ksh and bash's can be exploited using the LC_XXX with ssh
ForceCommand vector (and the output of "export -p" being
evaluated somehow).

-- 
Stephane

[Prev in Thread]

Current Thread

[Next in Thread]

Re: REGRESSION: shellshock patch rejects valid function names, (continued)
- Re: REGRESSION: shellshock patch rejects valid function names, Jay Freeman (saurik), 2014/09/26

Prev by Date: Re: REGRESSION: shellshock patch rejects valid function names
Next by Date: Issue with patching from bash-4.3-patches
Previous by thread: Re: REGRESSION: shellshock patch rejects valid function names
Next by thread: Re: REGRESSION: shellshock patch rejects valid function names
Index(es):
- Date
- Thread