[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-bash] Testing for Shellshock ... combinatorics and latest(Shel
From: |
Chet Ramey |
Subject: |
Re: [Help-bash] Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey) |
Date: |
Thu, 09 Oct 2014 21:41:05 -0400 |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 |
On 10/9/14, 4:50 PM, Eduardo A. Bustamante López wrote:
> Second, once you generate a command, how will your test program know
> if it found a bug? It's easy when bash segfaults, but in the case of
> shellshock, it wasn't a crash.
This is the problem. It's hard to tell whether bash reporting a syntax
error is a true syntax error, or a bug. The odds are considerably in
favor of the former, which make it hard to weed out the false positives.
You can use an environment variable in the form of an exported function
to test the parser, or run bash with the -n option, to minimize potential
damage to your system.
The fact that Michal's fuzzer found bugs that had been in bash for years
and never reported is a testament to the value of the approach. It just
takes a lot of work to wade through the results.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU address@hidden http://cnswww.cns.cwru.edu/~chet/