Re: How to understand bash vulnerability?

[Peng Yu]

> https://mywiki.wooledge.org/BashFAQ/111

There are a total of six CVEs.

CVE-2014-6271
CVE-2014-6277
CVE-2014-6278
CVE-2014-7186
CVE-2014-7187
CVE-2014-7169

Why only only the test cases for CVE-2014-6271 and CVE-2014-7169 are
mentioned? What about the test cases for the other four CVEs?

I don't quite understand why "/dev/null" is needed in order to trigger
the vulnerability.

$ bash --version | head -n 1
GNU bash, version 3.2.17(1)-release (powerpc-apple-darwin9.0)
$ VAR='() {}>\' bash -c '/dev/null x=FAIL;declare -p x'
bash: VAR: line 1: syntax error near unexpected token `{}'
bash: VAR: line 1: `'
bash: error importing function definition for `VAR'
declare -- x="FAIL"
$ VAR='() {}>\' bash -c 'x=FAIL;declare -p x'
bash: VAR: line 1: syntax error near unexpected token `{}'
bash: VAR: line 1: `'
bash: error importing function definition for `VAR'
bash: line 0: declare: x: not found

$ bash --version | head -n 1
GNU bash, version 5.0.18(1)-release (x86_64-apple-darwin19.5.0)
$ VAR='() {}>\' bash -c '/dev/null x=FAIL;declare -p x'
bash: /dev/null: Permission denied
bash: line 0: declare: x: not found
$ VAR='() {}>\' bash -c 'x=FAIL;declare -p x'
declare -- x="FAIL"

Also, how this vulnerability was discovered. I mean, it is really
unnatural for me to think of ever trying to test for such a
vulnerability. So I wonder whether this vulnerability was discovered
by serendipity or active auditing of the bash source code. If it was
discovered by serendipity, could bash contain other unknown
vulnerability like this? For hardware, there is hardware verification
to ensure the correctness a chip. Can something like this be done to
prove there is no other unknown vulnerability in bash?

-- 
Regards,
Peng