touch-packages team mailing list archive

Thread
Date

[Bug 1411318] Re: arbitrary code execution

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Phillip Sz <1411318@xxxxxxxxxxxxxxxxxx>
Date: Fri, 30 Jan 2015 20:55:45 -0000
Reply-to: Bug 1411318 <1411318@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Description changed:

  "The problem with bash's name references
  
  Bash 4.3 introduced declare -n ("name references") to mimic Korn shell's
  nameref feature, which permits variables to hold references to other
- variables (see FAQ 006 to see these in action). Unfortunately, the
- implementation used in Bash has some issues.
+ variables (..). Unfortunately, the implementation used in Bash has some
+ issues.
  
  {…} Bash's name reference implementation still allows arbitrary code
  execution:
  
  $ foo() { declare -n var=$1; echo "$var"; }
  $ foo 'x[i=$(date)]'
  bash: i=Thu Mar 27 16:34:09 EDT 2014: syntax error in expression (error token is "Mar 27 16:34:09 EDT 2014")
  
  It's not an elegant example, but you can clearly see that the date
  command was actually executed. This is not at all what one wants."
  
  source: http://mywiki.wooledge.org/BashFAQ/048

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1411318

Title:
  arbitrary code execution

Status in bash package in Ubuntu:
  Confirmed

Bug description:
  "The problem with bash's name references

  Bash 4.3 introduced declare -n ("name references") to mimic Korn
  shell's nameref feature, which permits variables to hold references to
  other variables (..). Unfortunately, the implementation used in Bash
  has some issues.

  {…} Bash's name reference implementation still allows arbitrary code
  execution:

  $ foo() { declare -n var=$1; echo "$var"; }
  $ foo 'x[i=$(date)]'
  bash: i=Thu Mar 27 16:34:09 EDT 2014: syntax error in expression (error token is "Mar 27 16:34:09 EDT 2014")

  It's not an elegant example, but you can clearly see that the date
  command was actually executed. This is not at all what one wants."

  source: http://mywiki.wooledge.org/BashFAQ/048

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1411318/+subscriptions

References

[Bug 1411318] [NEW] arbitrary code execution
From: Phillip Sz, 2015-01-15