CVE-2014-7169 is an incomplete fix for CVE-2014-6271 (Shellshock) in bash 4.3-p25. In variables.c, initialize_shell_variables() processes exported function definitions from environment variables. It checks that the value starts with '() {', constructs temp_string = name + ' ' + string, then calls parse_and_execute(). The guard at line 361 reads: `if (posixly_correct == 0 || legal_identifier(name))` — meaning in non-POSIX mode (the default), parse_and_execute is called even when 'name' contains shell metacharacters. An attacker sets an env var whose NAME contains backticks or $() to inject arbitrary commands: e.g., the var `touch /tmp/pwned`=() { :; } causes the backtick in the name to execute 'touch /tmp/pwned' when bash starts.
f2362534-a595-48f7-ac15-db7c5ca19f2a
CVE-2014-7169 is an incomplete fix for CVE-2014-6271 (Shellshock) in bash 4.3-p25. In variables.c, initialize_shell_variables() processes exported function definitions from environment variables. It checks that the value starts with '() {', constructs temp_string = name + ' ' + string, then calls parse_and_execute(). The guard at line 361 reads: if (posixly_correct == 0 || legal_identifier(name)) — meaning in non-POSIX mode (the default), parse_and_execute is called even when 'name' contains shell metacharacters. An attacker sets an env var whose NAME contains backticks or $() to inject arbitrary commands: e.g., the var touch /tmp/pwned=() { :; } causes the backtick in the name to execute 'touch /tmp/pwned' when bash starts.