*** This bug is a security vulnerability ***
Public security bug reported:
"The problem with bash's name references
Bash 4.3 introduced declare -n ("name references") to mimic Korn shell's
nameref feature, which permits variables to hold references to other
variables (see FAQ 006 to see these in action). Unfortunately, the
implementation used in Bash has some issues.
{…} Bash's name reference implementation still allows arbitrary code
execution:
$ foo() { declare -n var=$1; echo "$var"; }
$ foo 'x[i=$(date)]'
bash: i=Thu Mar 27 16:34:09 EDT 2014: syntax error in expression (error token
is "Mar 27 16:34:09 EDT 2014")
It's not an elegant example, but you can clearly see that the date
command was actually executed. This is not at all what one wants."
source: http://mywiki.wooledge.org/BashFAQ/048
** Affects: bash (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Private Security to Public Security
** Description changed:
"The problem with bash's name references
Bash 4.3 introduced declare -n ("name references") to mimic Korn shell's
nameref feature, which permits variables to hold references to other
variables (see FAQ 006 to see these in action). Unfortunately, the
implementation used in Bash has some issues.
{…} Bash's name reference implementation still allows arbitrary code
execution:
$ foo() { declare -n var=$1; echo "$var"; }
$ foo 'x[i=$(date)]'
bash: i=Thu Mar 27 16:34:09 EDT 2014: syntax error in expression (error token
is "Mar 27 16:34:09 EDT 2014")
It's not an elegant example, but you can clearly see that the date
- command was actually executed. This is not at all what one wants.
+ command was actually executed. This is not at all what one wants."
source: http://mywiki.wooledge.org/BashFAQ/048
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1411318
Title:
arbitrary code execution
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1411318/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
