[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Libguestfs] Bash bug

I don't really consider these to be bugs in libguestfs, but a few
places are affected by the infamous bash bug.

* virt-edit passes the '-e' script to Perl using an environment
variable, and runs Perl using the shell, so:

  $ virt-edit -a /tmp/fedora-20.img /etc/motd -e '() { :; } ; echo hello'

Mitigating this is that you shouldn't really be passing untrusted Perl
scripts to virt-edit in the first place, since Perl itself can do
pretty much anything.

* the virt-builder/virt-customize --edit flags are similarly affected:

  $ virt-customize --edit '/etc/motd:() { :; } ; echo hello' -a /tmp/fedora-20.img 
  [   0.0] Examining the guest ...
  [   6.0] Setting a random seed
  [   6.0] Editing: /etc/motd
  [   6.0] Finishing off

* guestfish 'edit' command, same as above

* The guestfish 'event' command lets you specify an environment
variable that is later passed to bash.

* Probably most seriously, the library passes TERM from its
environment through to the appliance, and thence through to the
daemon, which of course runs shell commands all over the place.  TERM
may contain any characters *except* spaces, which may make this route
impossible to exploit, although I wouldn't be sure.

Anyway, best thing is to update bash.


Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]