I want to apologize for adding more confusion to this issue. My statements
about CVE-2014-7169 where incorrect and misguided. This change does not
remove function exporting but only changes how the function names are
encoded as variable names.
Because the published CVE-2014-6271 vulnerability test used "env" to create
a function outside of bash, I continued to follow this pattern to design
other tests. I didn't realize that purposed of CVE-2014-7169 was not to
remove accepting functions from the environment but removing functions that
were created externally (as the vulnerability test did and as I continued
to do blindly).
Now that I understand, here's a better test showing it still works on a
machine with CVE-2014-7169:
-bash-3.2$ bash -c 'x() { echo "functions still work" "$@"; }; export -f x;
x normally; (x from a subshell; ); /bin/bash -c "x through the environment"'
functions still work normally
functions still work from a subshell
functions still work through the environment
If it helps reduce the confusion, machines with the older bash releases or
CVE-2014-6271 would export a function as follows:
-bash-3.2$ bash -c 'x() { echo "functions still work" "$@"; }; export -f x;
env | egrep "functions still work"'
x=() { echo "functions still work" "$@"
but after the patch you get
-bash-3.2$ bash -c 'x() { echo "functions still work" "$@"; }; export -f x;
env | egrep "functions still work"'
BASH_FUNC_x()=() { echo "functions still work" "$@"
-Alan
On Fri, Sep 26, 2014 at 12:06 PM, Alan Wild <a...@madllama.net> wrote:
> Not that I get a "vote", but if I did... I'm completely supportive of
> dropping function "importing" support when bash is invoked as /bin/sh (or
> --posix). This is clearly bash-specific functionality that isn't needed
> for POSIX-compliance. Seams like a much more reasonable middle-ground then
> pulling it altogether.
>
> -Alan
>
> On Fri, Sep 26, 2014 at 11:58 AM, Alan Wild <a...@madllama.net> wrote:
>
>> I've been searching for some clarification on these two "fixes" and I'm
>> utterly confused. I've been lead to believe RedHat's first patch (6271) is
>> based on code from Chet that just causes bash to reject functions where
>> code appears outside of the function body.
>>
>> However, this patch was labeled as "insufficient" and 7169 now appears to
>> completely remove the ability to receive function definitions from the
>> environment.
>>
>> I have production code that requires function exporting that's going to
>> be broken by 7169. Is this some knee-jerk reaction by just RedHat or is
>> this a revised patch from Chet marking a change in bash functionality?
>>
>> My company's cybersecurity folks are pushing to install 7169 as soon as
>> possible and while I'm trying to push back I need to know if this a
>> strategic change in direction for bash, RHEL, or what, exactly. (Because I
>> need to know how extensively I need to reachitect my application).
>>
>> -Alan
>>
>> --
>> a...@madllama.net http://humbleville.blogspot.com
>>
>
>
>
> --
> a...@madllama.net http://humbleville.blogspot.com
>
--
a...@madllama.net http://humbleville.blogspot.com
