Bug in bash <= 4.3 [security feature bypassed]

From: Hector Marco <hecmargi@upv.es>
To: fulldisclosure@seclists.org
Cc: oss-security@lists.openwall.com,bugtraq@securityfocus.com,advisories <advisories@lsexperts.de>,bugs@securitytracker.com
Subject: Bug in bash <= 4.3 [security feature bypassed]
Date:


Hi everyone,

Recently we discovered a bug in bash. After some time after reporting
it to bash developers, it has not been fixed.

We think that this is a security issue because in some circumstances
the bash security feature could be bypassed allowing the bash to be a
valid target shell in an attack.

We strongly recommend to patch your bash code.

Why don't fix this bug by simple adding mandatory "if" clause ?
Any comments about this issue are welcomed.


Details at:
http://hmarco.org/bugs/bash_4.3-setuid-bug.html



Thanks you,

Hector Marco
http://hmarco.org





Copyright © 1995-2020 LinuxRocket.net. All rights reserved.