[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-misc
Subject: Re: ksh, csh same vulnerability as bash
From: Peter Hessler <phessler () theapt ! org>
Date: 2014-09-29 12:00:22
Message-ID: 20140929120021.GL28193 () gir ! theapt ! org
[Download RAW message or body]
You tested bash. All 3 shells are behaving correctly by passing the env
variable to the bash command you are running. the bash command you are
running is behaving incorrectly by parsing the variable as a function.
To test ksh/csh, you need to run a different command.
On 2014 Sep 29 (Mon) at 03:53:58 -0700 (-0700), Bogdan Andu wrote:
> Hello list,
>
> the bug in bash shell discovered last day also seems to be present in ksh and csh. \
> ksh is known to be the default shell in OpenBSD.
>
> the following piece of shell code executes succesffuly on both ksh and csh (besides \
> bash of course):
> ksh:
> $ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
> Bash is vulnerable!
> Bash Test
>
> csh:
> % env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
> Bash is vulnerable!
> Bash Test
>
>
> bash:
> $ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
> Bash is vulnerable!
> Bash Test
>
> all platforms seem to be affected 5.2, 5.3, 5.4, 5.5 - amd64
>
>
> I wonder what it is to be done to circumvent any potential security risc for people \
> who call shell script code from cgi scripts for example.
>
>
> Cheers,
>
> /Bogdan
>
--
Help fight continental drift.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic