[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on nx and OSX (original) (raw)

Devin Jeanpierre jeanpierreda at gmail.com
Fri Sep 26 02:29:23 CEST 2014

• Previous message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Next message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Sep 25, 2014 at 4:53 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:

In other words, os.system is already an attack vector, unless you only use it with trusted strings. I don't think the bash env vulnerability adds to the attack surface.

Have I missed something? The part where the attack payload is passed through the environment, not through hypothetical user-injected command-line arguments.

As I understand it, if the attacker can help specify the environment (e.g. this is a CGI script), and you run os.system('echo hi'), you can get pwned. Even safe uses of os.system are vulnerable unless you point /bin/sh at a secure shell (e.g. patched bash).

-- Devin

• Previous message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Next message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list