[Libguestfs] Bash bug

Richard W.M. Jones rjones at redhat.com
Sat Sep 27 10:02:33 UTC 2014

I don't really consider these to be bugs in libguestfs, but a few
places are affected by the infamous bash bug.

* virt-edit passes the '-e' script to Perl using an environment
variable, and runs Perl using the shell, so:

  $ virt-edit -a /tmp/fedora-20.img /etc/motd -e '() { :; } ; echo hello'

Mitigating this is that you shouldn't really be passing untrusted Perl
scripts to virt-edit in the first place, since Perl itself can do
pretty much anything.

* the virt-builder/virt-customize --edit flags are similarly affected:

  $ virt-customize --edit '/etc/motd:() { :; } ; echo hello' -a /tmp/fedora-20.img 
  [   0.0] Examining the guest ...
  [   6.0] Setting a random seed
  [   6.0] Editing: /etc/motd
  [   6.0] Finishing off

* guestfish 'edit' command, same as above

* The guestfish 'event' command lets you specify an environment
variable that is later passed to bash.

* Probably most seriously, the library passes TERM from its
environment through to the appliance, and thence through to the
daemon, which of course runs shell commands all over the place.  TERM
may contain any characters *except* spaces, which may make this route
impossible to exploit, although I wouldn't be sure.

Anyway, best thing is to update bash.


Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch

More information about the Libguestfs mailing list