Fix test for CVE-2014-6277 to be a function import test from environment... #23
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
....
Bash 4.3.28 currently does crash with the example scripts for
both CVE-2014-6277 and CVE-2014-6278 with no patch[1], but it
will not run any code from them without specially setting up
the environment to use the prefixing. Both CVE are documented
as specifically environment issues; if you can pass bad code
directly to bash -c then the attacker has already won.
The check must involve the environment or it will needlessly scare
users who have deployed appropriate mitigations. For example,
on FreeBSD (and NetBSD) we have disabled all function importing from
the environment. So this test passes fine on our bash versions.
The syntax used here is to check the return value to see if it
crashed, while hiding the core dump messages. There's no
code execution proven for CVE-2014-6277 yet so there is no
output that can be checked against.
Switch the test to more closely match the examples from the
disclosure [2].
[1] http://www.openwall.com/lists/oss-security/2014/10/01/25
[2] http://lcamtuf.blogspot.de/2014/10/bash-bug-how-we-finally-cracked.html