httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: Bash CVE-2014-6271 and CGI / HTTPD
Date Wed, 24 Sep 2014 21:51:43 GMT
Am 24.09.2014 um 23:29 schrieb Yann Ylavic:
> On Wed, Sep 24, 2014 at 11:15 PM, Rainer Jung <rainer.jung@kippdata.de> wrote:
>> A workaround like
>>
>> --- server/util_script.c.orig   2013-09-14 14:12:54.000000000 +0000
>> +++ server/util_script.c        2014-09-24 20:35:54.952054361 +0000
>> @@ -128,6 +128,12 @@
>>               }
>>               ++whack;
>>           }
>> +        /* Sanitize leading "()" because of CVE-2014-6271 bash exploit */
>> +        whack++;
>> +        if (*whack++ == '(' && *whack == ')') {
>
> Don't you mean if (*++whack == '(' && *++whack == ')') instead of the
> 2 lines above?

The original code works (tested with a CGI that prints env vars and 
setting a custom header starting with "()".

The first ++ prefix is not needed because I have a whack++ in the line 
before.

> Otherwise the post incrementation won't be done before the second
> condition, and the test always be false.
>
>> +            *whack-- = '_';
>> +            *whack = '_';
>> +        }
>>           ++j;
>>       }

Thanks for double checking.

Regards,

Rainer

Mime
View raw message