[GLLUG] Bash Bug

Matthew Copperwaite mattcopp at gmail.com
Thu Sep 25 16:16:31 UTC 2014


On 25 September 2014 10:14, Sunny Aujla <sunnyfedora99 at googlemail.com>
wrote:

> Thought I'd share this with everyone.
>
>
> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/


So I'm finding the linked Red Hat article quite difficult to read (being
poorly written and discussing useless diversions) and therefore fail to
actually understand the issue here.

So my attempt at understanding it, and please correct me if I'm wrong, is:

Bash (like any shell) has access to environment variables, and it loads
those variables when it starts up. If those variables contains a function
then bash will execute that code. So (and this is the bit where it gets a
bit hazy) if you are running a service such as mod_cgi in apache2/httpd and
those CGI scripts are running in bash, then they can somehow create an
environment variable that will be loaded by other bash instances?

Also there doesn't appear to be a synchronised release of updates such as
with Heartbleed. So is this issue not as severe, or was it not disclosed
properly?



>
>
> Sunny
>
> _______________________________________________
> GLLUG mailing list
> GLLUG at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/gllug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20140925/446c9029/attachment.html>


More information about the GLLUG mailing list