Bug 193932

Summary:

Add an option to disable the parsing of functions from environment variables

Product:

Ports & Packages

Reporter:

eric

Component:

Individual Port(s)

Assignee:

Bryan Drewery <bdrewery>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

bdrewery, ehaupt

Priority:

---

Version:

Latest

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
Add an option to disable the parsing of functions from environment variables	none

Description eric 2014-09-25 18:47:47 UTC

Created attachment 147678 [details]
Add an option to disable the parsing of functions from environment variables

The whole idea of parsing shell code from environment variables seems far too risky.  The attached patch adds a port option to disable this behavior completely.

Thoughts?

Comment 1 eric 2014-09-25 18:57:20 UTC

For the record, this is in response to the "Shellshock" vulnerabilities CVE-2014-6271 and CVE-2014-7169.

Comment 2 commit-hook freebsd_committer

2014-09-26 20:34:14 UTC

A commit references this bug:

Author: bdrewery
Date: Fri Sep 26 20:33:24 UTC 2014
New revision: 369341
URL: http://svnweb.freebsd.org/changeset/ports/369341

Log:
  Disable function importing from the environment by default.  This can be
  enabled by using --import-functions or enabling the IMPORTFUNCTIONS option.

  This removes the risk of further parser bugs leading to code execution, as
  well as the risk to setuid scripts and poorly written applications that
  do not cleanse their environment [1][2].

  Also note that there is an unofficial 4.3.26 floating around that has not yet
  been officially released.  r369261 covers the change in 4.3.26.

  See also:
    http://seclists.org/oss-sec/2014/q3/747 [1]
    http://seclists.org/oss-sec/2014/q3/746 [2]
    http://seclists.org/oss-sec/2014/q3/755 [3]

  Obtained from:	NetBSD (based on) [3]
  PR:		193932
  Reviewed by:	Eric Vangyzen
  With hat:	portmgr

Changes:
  head/UPDATING
  head/shells/bash/Makefile
  head/shells/bash/files/extrapatch-import-functions

Comment 3 commit-hook freebsd_committer

2014-09-26 21:11:19 UTC

A commit references this bug:

Author: bdrewery
Date: Fri Sep 26 21:10:27 UTC 2014
New revision: 369345
URL: http://svnweb.freebsd.org/changeset/ports/369345

Log:
  MFH: r369341

  Disable function importing from the environment by default.  This can be
  enabled by using --import-functions or enabling the IMPORTFUNCTIONS option.

  This removes the risk of further parser bugs leading to code execution, as
  well as the risk to setuid scripts and poorly written applications that
  do not cleanse their environment [1][2].

  Also note that there is an unofficial 4.3.26 floating around that has not yet
  been officially released.  r369261 covers the change in 4.3.26.

  See also:
    http://seclists.org/oss-sec/2014/q3/747 [1]
    http://seclists.org/oss-sec/2014/q3/746 [2]
    http://seclists.org/oss-sec/2014/q3/755 [3]

  Obtained from:	NetBSD (based on) [3]
  PR:		193932
  Reviewed by:	Eric Vangyzen
  With hat:	portmgr

Changes:
_U  branches/2014Q3/
  branches/2014Q3/UPDATING
  branches/2014Q3/shells/bash/Makefile
  branches/2014Q3/shells/bash/files/extrapatch-import-functions