Abuse Melding

Je hebt een klacht over de onderstaande posting:

25-09-2014, 01:51 door Erik van Straten

Uit http://seclists.org/oss-sec/2014/q3/650 onder meer (opmaak toegevoegd door mij): 2014-09-24 17:03:19 +0200, door Florian Weimer: Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to (indirect) child processes. Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment. The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition. For example, an environment variable setting of VAR=() { ignored; }; /bin/id will execute /bin/id when the environment is imported into the bash process. (The process is in a slightly undefined state at this point. The PATH variable may not have been set up yet, and bash could crash after executing /bin/id, but the damage has already ...

Beschrijf je klacht (Optioneel):

captcha