[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I've found a vulnerability in bash
From: |
Kerin Millar |
Subject: |
Re: I've found a vulnerability in bash |
Date: |
Fri, 19 Nov 2021 12:12:39 +0000 |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.1 |
On 19/11/2021 10:53, Marshall Whittaker wrote:
You could argue that bash should parse filenames globbed from * that start
with - and exclude them specifically, so I'll have to respectfully
disagree.
One could, but it would not make for a compelling argument. Define
GLOBIGNORE, if you insist.
Also, it is not the programs doing the parsing of *, that is a
function of bash. Try typing * in just your terminal/command line and see
what happens
Yes. However, the presented 'exploit' hinges upon the behaviour of a
selected external program. Luckily for you, any that uses getopt(3) will
support -- as a means of concluding option recognition, rm(1) included.
In the case that you are using a program where option arguments cannot
be reliably separated from non-option arguments, specifying the glob as
./* will commonly suffice.
A short whitepaper on it has been made public at:
https://oxagast.org/posts/bash-wildcard-expansion-arbitrary-command-line-arguments-0day/
complete with a mini Po
It's perplexing that your post relies upon the use of -- to get the
point across, without acknowledging its import. At any rate, this does
not constitute a vulnerability on the part of bash, much less a zero-day.
--
Kerin Millar
- I've found a vulnerability in bash, Marshall Whittaker, 2021/11/17
- Re: I've found a vulnerability in bash, Greg Wooledge, 2021/11/17
- Re: I've found a vulnerability in bash, Alex fxmbsw7 Ratchev, 2021/11/17
- Re: I've found a vulnerability in bash, Ilkka Virta, 2021/11/17
- Re: I've found a vulnerability in bash, Chet Ramey, 2021/11/17
- Re: I've found a vulnerability in bash, Marshall Whittaker, 2021/11/19
- Re: I've found a vulnerability in bash, Alex fxmbsw7 Ratchev, 2021/11/19
- Re: I've found a vulnerability in bash,
Kerin Millar <=
- Message not available
- Re: I've found a vulnerability in bash, Kerin Millar, 2021/11/19
- Re: I've found a vulnerability in bash, Marshall Whittaker, 2021/11/19
- Re: I've found a vulnerability in bash, Kerin Millar, 2021/11/19
- Re: I've found a vulnerability in bash, Eric Blake, 2021/11/19
- Re: I've found a vulnerability in bash, Kerin Millar, 2021/11/19
- Message not available
- Re: I've found a vulnerability in bash, Kerin Millar, 2021/11/19
- Re: I've found a vulnerability in bash, Robert Elz, 2021/11/19
- Re: I've found a vulnerability in bash, Ilkka Virta, 2021/11/19