Shellshock Bash bug preload workaround

Question

The RedHat had a workaround for the Shellshock vulnerability that involves a preload library. The URL for the workaround source code is available at bash_ld_preload.c.

But the workaround steps seem to have gone missing now. Was this a bad solution or no solution?

The code:

#include <sys/types.h>
#include <stdlib.h>
#include <string.h>

static void __attribute__ ((constructor)) strip_env(void);
extern char **environ;

static void strip_env()
{
    char *p,*c;
    int i = 0;
    for (p = environ[i]; p!=NULL;i++ ) {
        c = strstr(p,"=() {");
        if (c != NULL) {
            *(c+2) = '\0';
        }
        p = environ[i];
    }
}

Well, a _good_ solution would presumably keep support for exported functions in place for folks who actually want/use it. — Charles Duffy, Sep 25 '14 at 21:34
This question appears to be off-topic because it is about computer security. http://security.stackexchange.com/ would be a better fit. — John Kugelman, Sep 26 '14 at 05:46

score 2 · Accepted Answer · answered Sep 25 '14 at 21:32

2

The code given completely removes all exported functions from the environment (or, rather, makes their contents an empty string).

This does have the side effect you want, of making vulnerabilities related to parsing and handling of exported functions moot.

answered Sep 25 '14 at 21:32

Charles Duffy

280,126
43
390
441

Had a sneaky feeling seeing the string termination injection in the code. But still this could be an interim solution while sysadmins scramble to get the patched bash. Perhaps Redhat published it quickly in panic and referred to it as a dangerous workaround before pulling it. I put it on a few systems and tests show no adverse effects. Yes, there's a risk of breaking something legit, but sysadmins can weigh that risk themselves. – rvh Sep 26 '14 at 13:41

Shellshock Bash bug preload workaround

1 Answers1