diff options
| author | Chet Ramey <chet.ramey@case.edu> | 2019-11-25 02:05:27 +0100 |
|---|---|---|
| committer | Vasyl Gello <vasek.gello@gmail.com> | 2019-11-26 20:25:33 +0000 |
| commit | 998f8d357138ebf527ce5b79678cdad5d757f469 (patch) | |
| tree | bf767c4c413eb6c141ef55f0cd3615f3de497faa | |
| parent | a823e4b102c5028940e51dbcadfeb116cb07e7a8 (diff) | |
| download | android_external_bash-998f8d357138ebf527ce5b79678cdad5d757f469.tar.gz android_external_bash-998f8d357138ebf527ce5b79678cdad5d757f469.tar.bz2 android_external_bash-998f8d357138ebf527ce5b79678cdad5d757f469.zip | |
bash: BASH_CMD is writable in restricted bash shellslineage-17.0
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying
BASH_CMDS, thus allowing the user to execute any command with the permissions
of the shell.
Fixes CVE-2019-9924
Change-Id: I1276b0920e28edd2096c3e9a346ce1d79304a66b
| -rw-r--r-- | variables.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/variables.c b/variables.c index f816ffe..b059b1a 100644 --- a/variables.c +++ b/variables.c @@ -1601,6 +1601,13 @@ assign_hashcmd (self, value, ind, key) arrayind_t ind; char *key; { +#if defined (RESTRICTED_SHELL) + if (restricted && strchr (value, '/')) + { + sh_restricted (value); + return (SHELL_VAR *)NULL; + } +#endif phash_insert (key, value, 0, 0); return (build_hashcmd (self)); } |