<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#CCCCCC" text="#000000">
<div class="moz-cite-prefix">On 27/09/14 12:31, Anthony Thyssen
wrote:<br>
</div>
<blockquote
cite="mid:20140927123152.207c98dd@chimera.itc.griffith.edu.au"
type="cite">
<pre wrap="">On Fri, 26 Sep 2014 19:07:07 +1000
James Polley <a class="moz-txt-link-rfc2396E" href="mailto:jamezpolley@gmail.com"><jamezpolley@gmail.com></a> wrote:
| On Fri, Sep 26, 2014 at 1:20 PM, Russell Coker <a class="moz-txt-link-rfc2396E" href="mailto:russell@coker.com.au"><russell@coker.com.au></a> wrote:
|
| So it's quite possible that you have a CGI script written in C that uses
| system() to call curl, or a Perl script that invokes ImageMagick
|
And I can tell you ImageMagick itself calls other programs to do some
'delegate' conversions of images! For example ghostscript!
So really it is impossible to say if ANYTHING invoked by a CGI or
executable include, or anything else invoked by the web or a other
network access doesn't at some point also calls a shell such as BASH.
Patch BASH and your done.
PS; I think it is stuipd that BASH actually initiallises external
functions on startup. If an external function is desirable then
the bash script that imports it should declare it, and the function
gets important only at that point.</pre>
</blockquote>
<br>
Agreed. Time to dump support for all those old bash scripts that
require functions written as VARIABLE()="() { body }" - which
appears to be why this bug exists in the first place.<br>
<br>
<blockquote
cite="mid:20140927123152.207c98dd@chimera.itc.griffith.edu.au"
type="cite">
<pre wrap="">
As it is scripts have no say about functions being imported or not.</pre>
</blockquote>
<br>
True, though script writers do have a say in whether they use eval()
(which is just evil).<br>
<br>
<blockquote
cite="mid:20140927123152.207c98dd@chimera.itc.griffith.edu.au"
type="cite">
<pre wrap="">
At least they also patched the use of '/' in imported function names!
For example importing a function named /usr/bin/id or /sbin/ping
could be just a bad a loophole when you can control the calling
environment. EG: a su, sudo, or suid program that does not properly
wipe the environment completely!
Anthony Thyssen ( System Programmer ) <a class="moz-txt-link-rfc2396E" href="mailto:A.Thyssen@griffith.edu.au"><A.Thyssen@griffith.edu.au></a>
--------------------------------------------------------------------------
A Gods idea of amusement is a Snakes and Ladders game,
with greased rungs. -- Terry Pratchett, "Wyrd Sisters"
--------------------------------------------------------------------------
Anthony's Castle <a class="moz-txt-link-freetext" href="http://www.ict.griffith.edu.au/anthony/">http://www.ict.griffith.edu.au/anthony/</a>
_______________________________________________
linux-aus mailing list
<a class="moz-txt-link-abbreviated" href="mailto:linux-aus@lists.linux.org.au">linux-aus@lists.linux.org.au</a>
<a class="moz-txt-link-freetext" href="http://lists.linux.org.au/listinfo/linux-aus">http://lists.linux.org.au/listinfo/linux-aus</a>
</pre>
</blockquote>
<br>
Kind regards<br>
</body>
</html>