Bug 193932 - Add an option to disable the parsing of functions from environment variables
Summary: Add an option to disable the parsing of functions from environment variables
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Bryan Drewery
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-25 18:47 UTC by eric
Modified: 2014-09-26 21:11 UTC (History)
2 users (show)

See Also:

Attachments
Add an option to disable the parsing of functions from environment variables (1.78 KB, patch)
2014-09-25 18:47 UTC, eric 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description eric 2014-09-25 18:47:47 UTC 
Created attachment 147678 [details]
Add an option to disable the parsing of functions from environment variables

The whole idea of parsing shell code from environment variables seems far too risky.  The attached patch adds a port option to disable this behavior completely.

Thoughts?
Comment 1 eric 2014-09-25 18:57:20 UTC 
For the record, this is in response to the "Shellshock" vulnerabilities CVE-2014-6271 and CVE-2014-7169.
Comment 2 commit-hook freebsd_committer freebsd_triage 2014-09-26 20:34:14 UTC 
A commit references this bug:

Author: bdrewery
Date: Fri Sep 26 20:33:24 UTC 2014
New revision: 369341
URL: http://svnweb.freebsd.org/changeset/ports/369341

Log:
  Disable function importing from the environment by default.  This can be
  enabled by using --import-functions or enabling the IMPORTFUNCTIONS option.

  This removes the risk of further parser bugs leading to code execution, as
  well as the risk to setuid scripts and poorly written applications that
  do not cleanse their environment [1][2].

  Also note that there is an unofficial 4.3.26 floating around that has not yet
  been officially released.  r369261 covers the change in 4.3.26.

  See also:
    http://seclists.org/oss-sec/2014/q3/747 [1]
    http://seclists.org/oss-sec/2014/q3/746 [2]
    http://seclists.org/oss-sec/2014/q3/755 [3]

  Obtained from:	NetBSD (based on) [3]
  PR:		193932
  Reviewed by:	Eric Vangyzen
  With hat:	portmgr

Changes:
  head/UPDATING
  head/shells/bash/Makefile
  head/shells/bash/files/extrapatch-import-functions
Comment 3 commit-hook freebsd_committer freebsd_triage 2014-09-26 21:11:19 UTC 
A commit references this bug:

Author: bdrewery
Date: Fri Sep 26 21:10:27 UTC 2014
New revision: 369345
URL: http://svnweb.freebsd.org/changeset/ports/369345

Log:
  MFH: r369341

  Disable function importing from the environment by default.  This can be
  enabled by using --import-functions or enabling the IMPORTFUNCTIONS option.

  This removes the risk of further parser bugs leading to code execution, as
  well as the risk to setuid scripts and poorly written applications that
  do not cleanse their environment [1][2].

  Also note that there is an unofficial 4.3.26 floating around that has not yet
  been officially released.  r369261 covers the change in 4.3.26.

  See also:
    http://seclists.org/oss-sec/2014/q3/747 [1]
    http://seclists.org/oss-sec/2014/q3/746 [2]
    http://seclists.org/oss-sec/2014/q3/755 [3]

  Obtained from:	NetBSD (based on) [3]
  PR:		193932
  Reviewed by:	Eric Vangyzen
  With hat:	portmgr

Changes:
_U  branches/2014Q3/
  branches/2014Q3/UPDATING
  branches/2014Q3/shells/bash/Makefile
  branches/2014Q3/shells/bash/files/extrapatch-import-functions