[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: ksh, csh same vulnerability as bash
From:       Peter Hessler <phessler () theapt ! org>
Date:       2014-09-29 12:00:22
Message-ID: 20140929120021.GL28193 () gir ! theapt ! org
[Download RAW message or body]

You tested bash.  All 3 shells are behaving correctly by passing the env
variable to the bash command you are running.  the bash command you are
running is behaving incorrectly by parsing the variable as a function.

To test ksh/csh, you need to run a different command.


On 2014 Sep 29 (Mon) at 03:53:58 -0700 (-0700), Bogdan Andu wrote:
> Hello list,
> 
> the bug in bash shell discovered last day also seems to be present in ksh and csh. \
> ksh is known to be the default shell in OpenBSD.
> 
> the following piece of shell code executes succesffuly on both ksh and csh (besides \
> bash of course):
> ksh:
> $ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
> Bash is vulnerable!
> Bash Test
> 
> csh:
> %  env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
> Bash is vulnerable!
> Bash Test
> 
> 
> bash:
> $ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
> Bash is vulnerable!
> Bash Test
> 
> all platforms seem to be affected 5.2, 5.3, 5.4, 5.5 - amd64
> 
> 
> I wonder what it is to be done to circumvent any potential security risc for people \
> who call shell script code from cgi scripts for example.
> 
> 
> Cheers,
> 
> /Bogdan
> 

-- 
Help fight continental drift.


[prev in list] [next in list] [prev in thread] [next in thread]