[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Bug in bash <= 4.3 [security feature bypassed]

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Bug in bash <= 4.3 [security feature bypassed]
From: Hector Marco <hecmargi@xxxxxx>
Date: Tue, 03 Jun 2014 16:16:31 +0200

Hi everyone,

Recently we discovered a bug in bash. After some time after reporting
it to bash developers, it has not been fixed.

We think that this is a security issue because in some circumstances
the bash security feature could be bypassed allowing the bash to be a
valid target shell in an attack.

We strongly recommend to patch your bash code.

Why don't fix this bug by simple adding mandatory "if" clause ?
Any comments about this issue are welcomed.


Details at:
http://hmarco.org/bugs/bash_4.3-setuid-bug.html



Thanks you,

Hector Marco
http://hmarco.org

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Follow-Ups:
- Re: [FD] [oss-security] Bug in bash <= 4.3 [security feature bypassed]
  - From: Jose Carlos Luna Duran

Prev by Date: [FD] CVE-2014-1226 s3dvt Root shell (still)
Next by Date: [FD] Is Your Antivirus Tracking You? You'd Be Surprised At What It Sends
Previous by thread: [FD] CVE-2014-1226 s3dvt Root shell (still)
Next by thread: Re: [FD] [oss-security] Bug in bash <= 4.3 [security feature bypassed]
Index(es):
- Date
- Thread