The fundamental problem is this:

In starting, bash treats ANY environment variable whose value starts with "() {" (i.e. open paren, close paren, space, open curly) as a function to be parsed and imported. For example:

$ export ls='() { echo bwahahaha ; }'
$ bash������ ������ # any invocation of bash, including from system(), or as /bin/sh
$ ls
bwahahaha

This is the mechanism by which bash's "export -f" (export function) works. (By default, functions are not exported to the environment, which is why you never noticed this before.)

Basically, that functionality has a ridiculous number of potential gotchas, even if the parsing is properly fixed. The unpatched code just blithely throws the string at the command interpreter, and the patches are just band-aids on top of that.

-- don


On 25/09/14 14:14, Nicholas Lee wrote:
Fix may not be complete either:

https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23

On Thu, Sep 25, 2014 at 11:06 AM, Sebastian Castro <sebastian@nzrs.net.nz> wrote:


On 25/09/14 10:57 am, Dean Pemberton wrote:
> Hi all,
> This isn't normally a security vuln release list but this one looks pretty bad
>
> A newly discovered vulnerability (CVE-2014-6271) in the Bash
> command-line interpreter poses a critical security risk to Unix and
> Linux systems.�� It allows remote code execution.
>
> NZITF is responding to this remote execution exploit, with a News page
> that we will be keeping up to date - http://www.nzitf.org.nz/news.html
> .

There are active scans going on already:

http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html


>
> We are also reaching out to technical and security community points of
> contact to raise awareness to the issue and ensure necessary action is
> taken (hence this email to you).�� Please note,�� no patch is yet
> available for Mac OSX.�� However, many other patches are available.
>
> So Patch, Patch, Patch.
>
>
> Regards,
> Dea
> _______________________________________________
> NZNOG mailing list
> NZNOG@list.waikato.ac.nz
> http://list.waikato.ac.nz/mailman/listinfo/nznog
>

--
Sebastian Castro
Technical Research Manager
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535
_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog



_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog