[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How to understand bash vulnerability?
From: |
Peng Yu |
Subject: |
Re: How to understand bash vulnerability? |
Date: |
Wed, 30 Dec 2020 22:41:14 -0600 |
> https://mywiki.wooledge.org/BashFAQ/111
There are a total of six CVEs.
CVE-2014-6271
CVE-2014-6277
CVE-2014-6278
CVE-2014-7186
CVE-2014-7187
CVE-2014-7169
Why only only the test cases for CVE-2014-6271 and CVE-2014-7169 are
mentioned? What about the test cases for the other four CVEs?
I don't quite understand why "/dev/null" is needed in order to trigger
the vulnerability.
$ bash --version | head -n 1
GNU bash, version 3.2.17(1)-release (powerpc-apple-darwin9.0)
$ VAR='() {}>\' bash -c '/dev/null x=FAIL;declare -p x'
bash: VAR: line 1: syntax error near unexpected token `{}'
bash: VAR: line 1: `'
bash: error importing function definition for `VAR'
declare -- x="FAIL"
$ VAR='() {}>\' bash -c 'x=FAIL;declare -p x'
bash: VAR: line 1: syntax error near unexpected token `{}'
bash: VAR: line 1: `'
bash: error importing function definition for `VAR'
bash: line 0: declare: x: not found
$ bash --version | head -n 1
GNU bash, version 5.0.18(1)-release (x86_64-apple-darwin19.5.0)
$ VAR='() {}>\' bash -c '/dev/null x=FAIL;declare -p x'
bash: /dev/null: Permission denied
bash: line 0: declare: x: not found
$ VAR='() {}>\' bash -c 'x=FAIL;declare -p x'
declare -- x="FAIL"
Also, how this vulnerability was discovered. I mean, it is really
unnatural for me to think of ever trying to test for such a
vulnerability. So I wonder whether this vulnerability was discovered
by serendipity or active auditing of the bash source code. If it was
discovered by serendipity, could bash contain other unknown
vulnerability like this? For hardware, there is hardware verification
to ensure the correctness a chip. Can something like this be done to
prove there is no other unknown vulnerability in bash?
--
Regards,
Peng