[OpenIndiana-discuss] Bash bug issue

Saso Kiselkov skiselkov.ml at gmail.com
Sat Sep 27 00:04:58 UTC 2014


On 9/27/14, 1:59 AM, Nemo wrote:
> On 26 September 2014 19:44, Saso Kiselkov <skiselkov.ml at gmail.com> wrote:
>> On 9/27/14, 1:41 AM, Nemo wrote:
> [...]
>>> Whence does the OI bash source originate?  On the bash that comes with
>>> Solaris 10,  the vulnerability is not present:
>>>
>>> [~]=> bash --version
>>> GNU bash, version 3.00.16(1)-release (sparc-sun-solaris2.10)
>>> Copyright (C) 2004 Free Software Foundation, Inc.
>>> [~]=> env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
>>> completed
>>
>> In general, bash != /bin/sh on either Solaris or Illumos-derived
>> systems. Rerun the env test with bash instead of /bin/sh.
> 
> [~]=> echo $SHELL
> /bin/bash
> [~]=> env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
> completed
> 
> Note that I put bash into /bin to avoid GNUisms.

The invoking shell is irrelevant. Here's your problem:

                               vvvvvvv
env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
                               ^^^^^^^

Put bash in there and you'll get a vulnerable "busted" result.

-- 
Saso



More information about the openindiana-discuss mailing list