[Linux-aus] What's the real story about Shellshock and Bash and vulnerabilities in Linux and OpenSource?
Scott Ferguson
scott.ferguson.it.consulting at gmail.com
Sat Sep 27 15:07:50 EST 2014
On 27/09/14 12:31, Anthony Thyssen wrote:
> On Fri, 26 Sep 2014 19:07:07 +1000
> James Polley <jamezpolley at gmail.com> wrote:
> | On Fri, Sep 26, 2014 at 1:20 PM, Russell Coker <russell at coker.com.au> wrote:
> |
> | So it's quite possible that you have a CGI script written in C that uses
> | system() to call curl, or a Perl script that invokes ImageMagick
> |
>
> And I can tell you ImageMagick itself calls other programs to do some
> 'delegate' conversions of images! For example ghostscript!
>
> So really it is impossible to say if ANYTHING invoked by a CGI or
> executable include, or anything else invoked by the web or a other
> network access doesn't at some point also calls a shell such as BASH.
>
> Patch BASH and your done.
>
>
> PS; I think it is stuipd that BASH actually initiallises external
> functions on startup. If an external function is desirable then
> the bash script that imports it should declare it, and the function
> gets important only at that point.
Agreed. Time to dump support for all those old bash scripts that require
functions written as VARIABLE()="() { body }" - which appears to be why
this bug exists in the first place.
>
> As it is scripts have no say about functions being imported or not.
True, though script writers do have a say in whether they use eval()
(which is just evil).
>
> At least they also patched the use of '/' in imported function names!
>
> For example importing a function named /usr/bin/id or /sbin/ping
> could be just a bad a loophole when you can control the calling
> environment. EG: a su, sudo, or suid program that does not properly
> wipe the environment completely!
>
>
>
> Anthony Thyssen ( System Programmer ) <A.Thyssen at griffith.edu.au>
> --------------------------------------------------------------------------
> A Gods idea of amusement is a Snakes and Ladders game,
> with greased rungs. -- Terry Pratchett, "Wyrd Sisters"
> --------------------------------------------------------------------------
> Anthony's Castle http://www.ict.griffith.edu.au/anthony/
>
> _______________________________________________
> linux-aus mailing list
> linux-aus at lists.linux.org.au
> http://lists.linux.org.au/listinfo/linux-aus
>
Kind regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linux.org.au/pipermail/linux-aus/attachments/20140927/07c78614/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
Url : http://lists.linux.org.au/pipermail/linux-aus/attachments/20140927/07c78614/attachment.pgp
More information about the linux-aus
mailing list