I'll say it again [1]: Thank God for Florian Weimer! And after this excellent post I'm adding Michal Zalewski to that list.<p>1. <a href="https://news.ycombinator.com/item?id=8378515" rel="nofollow">https://news.ycombinator.com/item?id=8378515</a>
I think there is a fairly convincing argument here that a lot of these bugs might not have occurred if Bash used a hand-written, recursive-descent parser instead of a Yacc autogenerated one:<p>- The original ShellShock: Reused the general parsing/execution function for the subset task of evaluating a function definition. A hand-written parser would likely have this isolated to its own function. With a Yacc parser, there is neither an obvious nor easy way to call directly into the parser to parse a "nonterminal".<p>- The ones in the article having to do with error handling: traditionally, error handing in autogenerated parsers has been more difficult and Yacc is no exception. This is related to the first point in that a function for only parsing the function definitions would never execute its input, even upon encountering an error; the usual abort behaviour means the parser stack unwinds until the original caller - in this case the code parsing environment variables for function definitions - recognises the error, outputs an error message, and in this case, ignores the definition.<p>- The operation of a recursive-descent parser is simpler to trace through manually since each piece of the grammar is logically broken into separate functions, making it easier to audit than the more opaque flow of a Yacc one.
The real problem is that Bash has a huge attack surface and isn't written with security in mind. With the number of new exploits found here without too much effort, there are almost certainly more yet to be found. (Or already known to attackers.)
I am still showing segfault on a fully patched (through #20) copy of Bash 3.0<p><pre><code> bash -c "f(){ x(){ _;};x(){ _;}<<a;}"
Segmentation fault (core dumped)</code></pre>
Bash is doing a crazy about of stuff under-the-hood. I spent a lot of time over the weekend inside gdb trying to trace down one weird behavior that appeared when I added a single printf(), and I got taken on a very wild ride.<p>(It wasn't necessarily a security issue, but I figured I'd go exploring to learn some bash internals.)
Red Hat's communication on their distribution of Florian's patch was sorely lacking, especially after <a href="http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html" rel="nofollow">http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficia...</a>.<p>It was in no way clear that Red Hat's second release included Florian's fixes - I found out from Mark Cox's post on this Twitter thread - <a href="https://twitter.com/lcamtuf/status/516297412579581952" rel="nofollow">https://twitter.com/lcamtuf/status/516297412579581952</a>
bashcheck <a href="https://github.com/hannob/bashcheck/blob/master/bashcheck" rel="nofollow">https://github.com/hannob/bashcheck/blob/master/bashcheck</a> includes now also tests for the last 2 lcamtuf bugs, so it tests now for 6 known vulns from this shellshock series, plus a general test for variable function parser safety.