[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash

From: Eric Blake
Subject: Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey)
Date: Fri, 10 Oct 2014 09:04:10 -0600
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1

On 10/10/2014 08:55 AM, Stephane Chazelas wrote:

> But I can't see why the content of a variable should be
> interpreted as anything else than an arithmetic expression just
> because it's in an array subscript.

For the record, there are vulnerable shell scripts in the wild that fail
to sanitize their inputs before passing it through arithmetic expansion,
all because MULTIPLE shells (bash, ksh, mksh, zsh) all have the same
semantic decision of performing command substitution as part of
arithmetic expansion.  For example:

$ /usr/sbin/fsadm -n resize /dev/sdb '0+x[`id >/dev/tty`]T'

demonstrates that fsadm is vulnerable for trying to do $(($1)) without
sanitizing $1 first.

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]