COMMAND

    bash

SYSTEMS AFFECTED

    System running bash (1.14.6 and earlier) installed as "/bin/sh"

PROBLEM

    There is  a variable  declaration error  in the  "yy_string_get()"
    function in the "parse.y" module  of the "bash" source code.  This
    function is responsible for parsing the user-provided command line
    into  separate  tokens  (commands,  special characters, arguments,
    etc.).  The error involves  the variable "string", which has  been
    declared to be of type "char *".

    The "string"  variable is  used to  traverse the  character string
    containing  the  command  line  to  be  parsed.  As characters are
    retrieved from this pointer, they are stored in a variable of type
    "int".  On  systems/compilers  where  the  "char" type defaults to
    "signed char" this value will be sign-extended when it is assigned
    to the   "int" variable.  For character  code 255  decimal (-1  in
    two's complement form), this  sign extension results in  the value
    (-1) being assigned to the integer.

    However, (-1) is used in other parts of the parser to indicate the
    end of a command. Thus, the character code 255 decimal (377 octal)
    will serve as an  unintended command separator for  commands given
    to bash via the "-c" option. For example,

        bash -c 'ls\377who'

    (where  "\377"  represents  the  single  character  with value 255
    decimal) will execute two commands, "ls" and "who".

    This unexpected command separator can be dangerous, especially  on
    systems such as Linux where bash has been installed as  "/bin/sh,"
    when a  program executes  a command  with a  string provided  by a
    user as an  argument using the  "system()" or "popen()"  functions
    (or by calling "/bin/sh -c string" directly).

    This  is  especially  true  for  the  CGI programming interface in
    World Wide Web servers, many of which do not strip out  characters
    with value 255 decimal. If a  user sending data to the server  can
    specify the character  code 255 in  a string that  is passed to  a
    shell, and that shell is bash, the user can execute any  arbitrary
    command with the user-id and  permissions of the user running  the
    server (frequently "root").

    The bash  built-in commands  "eval," "source,"  and "fc"  are also
    potentially vulnerable to this problem.

SOLUTION

    Version 1.14.7 of bash was released. You can obtain this new
    version from:

        ftp://slc2.ins.cwru.edu/pub/dist/bash-1.14.7.tar.gz