[10316] in bugtraq
Re: Bash Bug
daemon@ATHENA.MIT.EDU (Marc Lehmann)
Thu Apr 22 13:27:45 1999
Mail-Followup-To: BUGTRAQ@NETSPACE.ORG
Date: Thu, 22 Apr 1999 03:18:48 +0200
Reply-To: Marc Lehmann <pcg@GOOF.COM>
From: Marc Lehmann <pcg@GOOF.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.10.9904202114070.6623-100000@smooth.Operator.org>;
from Shadow on Tue, Apr 20, 1999 at 09:25:47PM -0400
On Tue, Apr 20, 1999 at 09:25:47PM -0400, Shadow wrote:
>
> If a user creates a directory with a command like
>
> mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
It seems to me that this is related to the prompt string parsing. If yes,
then bash is not vulnerable unless configured to display the current
directory (correct me if the root of the problem is different).
Some additional notes:
- I was unable to reproduce this on my system, even when bash is configured
to display the current path in the prompt. (bash 2.02.1(1))
- The original example seemed to have too much whitespace. I used:
mkdir "\`echo -e \"echo + +> ~\57.rhosts\" > x; source x; rm -f \x\`"
- PS1 was set to \h:\w\$
HTH
--
-----==- |
----==-- _ |
---==---(_)__ __ ____ __ Marc Lehmann +--
--==---/ / _ \/ // /\ \/ / pcg@goof.com |e|
-=====/_/_//_/\_,_/ /_/\_\ XX11-RIPE --+
The choice of a GNU generation |
|
