[clug] Security talk and the bash 'shellshock' vulnerability

Brett Worth brett.worth at gmail.com
Sat Sep 27 05:58:22 MDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 27/09/14 21:11, Carlo Hamalainen wrote:
> $ cat <<EOF >test.sh #!/bin/bash cat /dev/null EOF
> 
> $ chmod a+x test.sh $ env cat='() { echo rm -rf /; }' ./test.sh
> 
> This will echo rm -fr /.

So this is why it's a good idea to always use fully qualified paths to executables
called from shell scripts.

Brett

- -- 
  /) _ _ _/_/ / / /  _ _//
 /_)/</= / / (_(_/()/< ///
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUJqZeRvcHEifrYE8RAr8AAJwNZFlPynZkt4sh2UCQYgbaGqgvcwCeO4mn
Vg3PRoddeyQSntvT6InbLyU=
=LS1A
-----END PGP SIGNATURE-----


More information about the linux mailing list