Re: Bug#762839: bash without importing shell functions from the environment

To: debian-devel@lists.debian.org, 762839@bugs.debian.org
Subject: Re: Bug#762839: bash without importing shell functions from the environment
From: Samuel Thibault <sthibault@debian.org>
Date: Fri, 26 Sep 2014 09:19:17 +0200
Message-id: <[🔎] 20140926071917.GJ3550@type.youpi.perso.aquilenet.fr>
Mail-followup-to: debian-devel@lists.debian.org, 762839@bugs.debian.org
In-reply-to: <[🔎] 87oau3mdkv.fsf@vostro.rath.org>
References: <[🔎] 21540.13505.438186.122045@chiark.greenend.org.uk> <[🔎] 20140925162026.GA11755@type.bordeaux.inria.fr> <[🔎] 20140925191758.GA6306@smurf.noris.de> <[🔎] 20140925203900.GT3550@type.youpi.perso.aquilenet.fr> <[🔎] 87oau3mdkv.fsf@vostro.rath.org>

Nikolaus Rath, le Thu 25 Sep 2014 17:26:40 -0700, a écrit :
> Samuel Thibault <sthibault@debian.org> writes:
> > Matthias Urlichs, le Thu 25 Sep 2014 21:17:58 +0200, a écrit :
> >> Samuel Thibault:
> >> > Sounds crazy to me.
> >> > 
> >> Definitely. This is now out in the wild; exploits which simply replace
> >> echo or cat-without-/bin are going to happen. :-/
> >
> > That's not so easy to exploit. You have to manage to inject those precise
> > variable names.
> 
> Wasn't there some web server that used to put query script variables
> into the environment of the CGI script?

Well, that ought to have been fixed a long time ago already, otherwise you could
have injected all sorts of LD_*.

Samuel

Reply to:

Follow-Ups:
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Vincent Lefevre <vincent@vinc17.net>

References:
- bash without importing shell functions from the environment
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Samuel Thibault <sthibault@debian.org>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Matthias Urlichs <matthias@urlichs.de>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Samuel Thibault <sthibault@debian.org>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Nikolaus Rath <Nikolaus@rath.org>

Prev by Date: Re: Bug#762839: bash without importing shell functions from the environment
Next by Date: Re: Bug#762839: bash without importing shell functions from the environment
Previous by thread: Re: Bug#762839: bash without importing shell functions from the environment
Next by thread: Re: Bug#762839: bash without importing shell functions from the environment
Index(es):
- Date
- Thread