[Touch-packages] [Bug 1411318] Re: arbitrary code execution
kurahaupo [22:16:18] phillip: anything on Woolledge's Wiki can be assumed to be known to Chet, yes kurahaupo phillip: the loop reference problem is potentially fixable; the code-in-referents is not, at least not without breaking existing code somewhere, which is a no-no I reported this here, so that someone maybe checks if this bug, can influence ubuntu's security. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1411318 Title: arbitrary code execution Status in bash package in Ubuntu: Confirmed Bug description: The problem with bash's name references Bash 4.3 introduced declare -n (name references) to mimic Korn shell's nameref feature, which permits variables to hold references to other variables (..). Unfortunately, the implementation used in Bash has some issues. {…} Bash's name reference implementation still allows arbitrary code execution: $ foo() { declare -n var=$1; echo $var; } $ foo 'x[i=$(date)]' bash: i=Thu Mar 27 16:34:09 EDT 2014: syntax error in expression (error token is Mar 27 16:34:09 EDT 2014) It's not an elegant example, but you can clearly see that the date command was actually executed. This is not at all what one wants. source: http://mywiki.wooledge.org/BashFAQ/048 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1411318/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1411318] Re: arbitrary code execution
Have you reported this issue to the upstream bash developers? ** Changed in: bash (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1411318 Title: arbitrary code execution Status in bash package in Ubuntu: Confirmed Bug description: The problem with bash's name references Bash 4.3 introduced declare -n (name references) to mimic Korn shell's nameref feature, which permits variables to hold references to other variables (see FAQ 006 to see these in action). Unfortunately, the implementation used in Bash has some issues. {…} Bash's name reference implementation still allows arbitrary code execution: $ foo() { declare -n var=$1; echo $var; } $ foo 'x[i=$(date)]' bash: i=Thu Mar 27 16:34:09 EDT 2014: syntax error in expression (error token is Mar 27 16:34:09 EDT 2014) It's not an elegant example, but you can clearly see that the date command was actually executed. This is not at all what one wants. source: http://mywiki.wooledge.org/BashFAQ/048 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1411318/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1411318] Re: arbitrary code execution
** Description changed: The problem with bash's name references Bash 4.3 introduced declare -n (name references) to mimic Korn shell's nameref feature, which permits variables to hold references to other - variables (see FAQ 006 to see these in action). Unfortunately, the - implementation used in Bash has some issues. + variables (..). Unfortunately, the implementation used in Bash has some + issues. {…} Bash's name reference implementation still allows arbitrary code execution: $ foo() { declare -n var=$1; echo $var; } $ foo 'x[i=$(date)]' bash: i=Thu Mar 27 16:34:09 EDT 2014: syntax error in expression (error token is Mar 27 16:34:09 EDT 2014) It's not an elegant example, but you can clearly see that the date command was actually executed. This is not at all what one wants. source: http://mywiki.wooledge.org/BashFAQ/048 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1411318 Title: arbitrary code execution Status in bash package in Ubuntu: Confirmed Bug description: The problem with bash's name references Bash 4.3 introduced declare -n (name references) to mimic Korn shell's nameref feature, which permits variables to hold references to other variables (..). Unfortunately, the implementation used in Bash has some issues. {…} Bash's name reference implementation still allows arbitrary code execution: $ foo() { declare -n var=$1; echo $var; } $ foo 'x[i=$(date)]' bash: i=Thu Mar 27 16:34:09 EDT 2014: syntax error in expression (error token is Mar 27 16:34:09 EDT 2014) It's not an elegant example, but you can clearly see that the date command was actually executed. This is not at all what one wants. source: http://mywiki.wooledge.org/BashFAQ/048 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1411318/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1411318] Re: arbitrary code execution
No, but I think someone has, but I don't know exactly. Trying to find out. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1411318 Title: arbitrary code execution Status in bash package in Ubuntu: Confirmed Bug description: The problem with bash's name references Bash 4.3 introduced declare -n (name references) to mimic Korn shell's nameref feature, which permits variables to hold references to other variables (..). Unfortunately, the implementation used in Bash has some issues. {…} Bash's name reference implementation still allows arbitrary code execution: $ foo() { declare -n var=$1; echo $var; } $ foo 'x[i=$(date)]' bash: i=Thu Mar 27 16:34:09 EDT 2014: syntax error in expression (error token is Mar 27 16:34:09 EDT 2014) It's not an elegant example, but you can clearly see that the date command was actually executed. This is not at all what one wants. source: http://mywiki.wooledge.org/BashFAQ/048 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1411318/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp