[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on nx and OSX (original) (raw)

Antoine Pitrou solipsis at pitrou.net
Fri Sep 26 01:53:22 CEST 2014

• Previous message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Next message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 26 Sep 2014 09:40:17 +1000 Steven D'Aprano <steve at pearwood.info> wrote:

Perhaps I'm missing something, but aren't there easier ways to attack os.system than the bash env vulnerability? If I'm accepting and running arbitrary strings from an untrusted user, there's no need for them to go to the trouble of feeding me:

"env x='() { :;}; echo gotcha' bash -c 'echo do something useful'" when they can just feed me: "echo gotcha" In other words, os.system is already an attack vector, unless you only use it with trusted strings. I don't think the bash env vulnerability adds to the attack surface. Have I missed something?

The part where the attack payload is passed through the environment, not through hypothetical user-injected command-line arguments.

Regards

Antoine.

• Previous message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Next message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list