GNU Bash Environment Variables Function Parsing Two Vulnerabilities
Description
Michal Zalewski has reported two vulnerabilities in GNU Bash, which can be exploited by malicious people to compromise a vulnerable system.
1) An error in the parser when handling certain script code within environment variables can be exploited to trigger usage of uninitialized data and subsequently e.g. execute arbitrary code via a specially crafted variable value.
2) Another error in the parser when handling certain script code within environment variables can be exploited to inject and execute arbitrary OS shell commands via a specially crafted variable value.
The vulnerabilities are reported in versions 4.3 and prior.
Vulnerable Products
Vulnerable Software: GNU Bash 3.xGNU bash 4.x
Solution
Apply mitigation patches available from the vendor, which eliminate the remote vector.
