Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash

From:	Stephane Chazelas
Subject:	Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey)
Date:	Fri, 10 Oct 2014 15:55:47 +0100
User-agent:	Mutt/1.5.21 (2010-09-15)

2014-10-10 10:17:40 -0400, Chet Ramey:
[...]
> > bash -c '(( XDG_VTNR < 7 ))
> > 
> > That allows arbitrary code execution (and can't easily be
> > fixed without breaking backward compatibility).
> > 
> > Try with "export XDG_VTNR='a[$(echo>&2 vulnerable)]'".
> 
> Sure, and that's documented, intended, and not unique.
[...]

Is it really intended and documented that cmdsubst be performed
there?

AFAICT, it's not useful and not consistent.

a='$(echo 1+1)' bash -c 'echo $((a))'

Doesn't work. So why would these work

a='b[$(echo 1+1)]' bash -c 'echo $((a))
Or
a='$(echo 1+1)' bash -c 'echo $((b[a]))'

then? Where is it documented that variable, arithmetic, command, tilde and
process substitution are performed in array subscripts in indirectly
evaluated arithmetic expressions?

I can accept:

echo $((a[$(echo 1+1)]))
or:
a[$(echo 1+1)]=2

being accepted intentionaly.

But I can't see why the content of a variable should be
interpreted as anything else than an arithmetic expression just
because it's in an array subscript.

-- 
Stephane

[Prev in Thread]

Current Thread

[Next in Thread]

re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Rick Karcich (rkarcich), 2014/10/09
- Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Eduardo A . Bustamante López, 2014/10/09
  - Re: [Help-bash] Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Chet Ramey, 2014/10/09
- Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Pádraig Brady, 2014/10/09
  - Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Chet Ramey, 2014/10/09
    - Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Stephane Chazelas, 2014/10/10
    - Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Chet Ramey, 2014/10/10
    - Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Stephane Chazelas <=
    - Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Eric Blake, 2014/10/10
    - Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Stephane Chazelas, 2014/10/10
    - Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Chet Ramey, 2014/10/13
    - expansions upon arithmetic evaluation in array subscripts, Stephane Chazelas, 2014/10/13
    - Re: expansions upon arithmetic evaluation in array subscripts, Chet Ramey, 2014/10/14
    - Re: expansions upon arithmetic evaluation in array subscripts, Linda Walsh, 2014/10/14
    - Re: expansions upon arithmetic evaluation in array subscripts, Chet Ramey, 2014/10/14
- Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Chet Ramey, 2014/10/09

Prev by Date: Re: CVE-2014-7187
Next by Date: Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey)
Previous by thread: Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey)
Next by thread: Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey)
Index(es):
- Date
- Thread