[Linux-aus] What's the real story about Shellshock and Bash and vulnerabilities in Linux and OpenSource?

Anthony Thyssen A.Thyssen at griffith.edu.au
Sat Sep 27 12:31:52 EST 2014


On Fri, 26 Sep 2014 19:07:07 +1000
James Polley <jamezpolley at gmail.com> wrote:
| On Fri, Sep 26, 2014 at 1:20 PM, Russell Coker <russell at coker.com.au> wrote:
| 
| So it's quite possible that you have a CGI script written in C that uses
| system() to call curl, or a Perl script that invokes ImageMagick
| 

And I can tell you ImageMagick itself calls other programs to do some
'delegate' conversions of images! For example ghostscript!

So really it is impossible to say if ANYTHING invoked by a CGI or
executable include, or anything else invoked by the web or a other
network access doesn't at some point also calls a shell such as BASH.

Patch BASH and your done.


PS; I think it is stuipd that BASH actually initiallises external
functions on startup.   If an external function is desirable then
the bash script that imports it should declare it, and the function
gets important only at that point.

As it is scripts have no say about functions being imported or not.

At least they also patched the use of '/' in imported function names!

For example importing a function named  /usr/bin/id  or /sbin/ping
could be just a bad a loophole when you can control the calling
environment.  EG:  a su, sudo, or suid program that does not properly
wipe the environment completely!



  Anthony Thyssen ( System Programmer )    <A.Thyssen at griffith.edu.au>
 --------------------------------------------------------------------------
  A Gods idea of amusement is a Snakes and Ladders game,
  with greased rungs.           -- Terry Pratchett, "Wyrd Sisters"
 --------------------------------------------------------------------------
   Anthony's Castle     http://www.ict.griffith.edu.au/anthony/



More information about the linux-aus mailing list