GNU bug report logs - #37864
bug: env exec bomb (no hash bang arg)

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Package: coreutils; Reported by: Michael Coleman <michael.karl.coleman@HIDDEN>; dated Tue, 22 Oct 2019 04:48:02 UTC; Maintainer for coreutils is bug-coreutils@HIDDEN.

Message received at 37864 <at> debbugs.gnu.org:


Received: (at 37864) by debbugs.gnu.org; 22 Oct 2019 10:42:01 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 22 06:42:01 2019
Received: from localhost ([127.0.0.1]:58270 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iMrc1-0007ZT-Dt
	for submit <at> debbugs.gnu.org; Tue, 22 Oct 2019 06:42:01 -0400
Received: from mail.magicbluesmoke.com ([82.195.144.49]:36714)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <P@HIDDEN>) id 1iMrbz-0007ZG-5f
 for 37864 <at> debbugs.gnu.org; Tue, 22 Oct 2019 06:41:59 -0400
Received: from localhost.localdomain
 (86-42-14-227-dynamic.agg2.lod.rsl-rtd.eircom.net [86.42.14.227])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.magicbluesmoke.com (Postfix) with ESMTPSA id 51DDBB6A7;
 Tue, 22 Oct 2019 11:41:57 +0100 (IST)
Subject: Re: bug#37864: bug: env exec bomb (no hash bang arg)
To: Michael Coleman <michael.karl.coleman@HIDDEN>,
 37864 <at> debbugs.gnu.org
References: <17bClHZId-5_cZF9E-FZDRYXmGPkuZzfhzK4fHuB2PDuSmwYl0QJRx3G8omcoGrdYt0aP1m1zcyT2vT-aovh43kZZ5IjlQj2geVB4r59puM=@protonmail.com>
From: =?UTF-8?Q?P=c3=a1draig_Brady?= <P@HIDDEN>
Message-ID: <8fc4104a-3365-2dda-0751-7f3c033279b8@HIDDEN>
Date: Tue, 22 Oct 2019 11:41:56 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:70.0) Gecko/20100101
 Thunderbird/70.0
MIME-Version: 1.0
In-Reply-To: <17bClHZId-5_cZF9E-FZDRYXmGPkuZzfhzK4fHuB2PDuSmwYl0QJRx3G8omcoGrdYt0aP1m1zcyT2vT-aovh43kZZ5IjlQj2geVB4r59puM=@protonmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 37864
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On 22/10/2019 03:13, Michael Coleman via GNU coreutils Bug Reports wrote:
> One of my users unwittingly stumbled upon the most delightful 'env' bug.  It seems to be present in a couple of pretty recent distributions.
> 
> Try this:
> 
> ----------------------------
> #!/usr/bin/env
> whatever
> ----------------------------
> 
> This results in an endless 'execve' recursion (if that's the word), pegging the CPU.
> 
> The preferred behavior would be something like a diagnostic, followed by immediate exit with an error result.

Well env is being passed the script name again as an option by the kernel,
and is just executing that. There is no portable way I can see for env
to distinguish this case. I'm not sure it's such an important issue TBH.

cheers,
Pádraig
Information forwarded to bug-coreutils@HIDDEN:
bug#37864; Package coreutils. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 22 Oct 2019 04:47:56 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 22 00:47:56 2019
Received: from localhost ([127.0.0.1]:58160 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iMm5M-0001vi-4d
	for submit <at> debbugs.gnu.org; Tue, 22 Oct 2019 00:47:56 -0400
Received: from lists.gnu.org ([209.51.188.17]:37036)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <michael.karl.coleman@HIDDEN>)
 id 1iMjfs-0006MF-AK
 for submit <at> debbugs.gnu.org; Mon, 21 Oct 2019 22:13:28 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:42117)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <michael.karl.coleman@HIDDEN>)
 id 1iMjfr-0000dU-84
 for bug-coreutils@HIDDEN; Mon, 21 Oct 2019 22:13:28 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: ****
X-Spam-Status: No, score=4.4 required=5.0 tests=AC_FROM_MANY_DOTS,BAYES_50,
 FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPOOFED_FREEMAIL,URIBL_BLOCKED
 autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <michael.karl.coleman@HIDDEN>)
 id 1iMjfp-0005hx-NP
 for bug-coreutils@HIDDEN; Mon, 21 Oct 2019 22:13:26 -0400
Received: from mail2.protonmail.ch ([185.70.40.22]:60424)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <michael.karl.coleman@HIDDEN>)
 id 1iMjfp-0005hH-GJ
 for bug-coreutils@HIDDEN; Mon, 21 Oct 2019 22:13:25 -0400
Date: Tue, 22 Oct 2019 02:13:13 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=default; t=1571710401;
 bh=Upp8nF22A7UhBu9ntnlByYaHjyrcDZX+ebG9uT0jTPs=;
 h=Date:To:From:Reply-To:Subject:Feedback-ID:From;
 b=WqZdXIFAgVo9JUbCwzwrEHsk1YEpcTmawWz4f/8D/ScS1NdQN7+/Nvsn8PwkrG6dT
 zBYeEoz7/BYF37YwHL8A0miA2jVJlduExj9ycZy+St+eyjiBPPwsVbYlkE5Hp/dg2V
 UB/XpFh4QTfgkU/80bGo60DT51FsdM0T96NLlSKo=
To: "bug-coreutils@HIDDEN" <bug-coreutils@HIDDEN>
From: Michael Coleman <michael.karl.coleman@HIDDEN>
Subject: bug: env exec bomb (no hash bang arg)
Message-ID: <17bClHZId-5_cZF9E-FZDRYXmGPkuZzfhzK4fHuB2PDuSmwYl0QJRx3G8omcoGrdYt0aP1m1zcyT2vT-aovh43kZZ5IjlQj2geVB4r59puM=@protonmail.com>
Feedback-ID: XX9hSSocx1U34xjIhJpxwcNSMDF9qc5KyHXxO3XCrntOXhtds2oDxXpapF4Nn_efTPbd2lkSYC2L7qrjRIv9aQ==:Ext:ProtonMail
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="b1_85cf60dbd0638572be671de6246784a9"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-Received-From: 185.70.40.22
X-Spam-Score: 1.7 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: One of my users unwittingly stumbled upon the most delightful
 'env' bug. It seems to be present in a couple of pretty recent distributions.
 Try this: #!/usr/bin/env whatever 
 Content analysis details:   (1.7 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
 blocked.  See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
 for more information. [URIs: protonmail.com]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider (michael.karl.coleman[at]protonmail.com)
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 0.0 HTML_MESSAGE           BODY: HTML included in message
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [209.51.188.17 listed in list.dnswl.org]
 1.0 BOMB_FREEM             Bomb + freemail
 2.0 SPOOFED_FREEMAIL       No description available.
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Tue, 22 Oct 2019 00:47:55 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Reply-To: Michael Coleman <michael.karl.coleman@HIDDEN>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.3 (-)

This is a multi-part message in MIME format.

--b1_85cf60dbd0638572be671de6246784a9
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: base64

T25lIG9mIG15IHVzZXJzIHVud2l0dGluZ2x5IHN0dW1ibGVkIHVwb24gdGhlIG1vc3QgZGVsaWdo
dGZ1bCAnZW52JyBidWcuICBJdCBzZWVtcyB0byBiZSBwcmVzZW50IGluIGEgY291cGxlIG9mIHBy
ZXR0eSByZWNlbnQgZGlzdHJpYnV0aW9ucy4KClRyeSB0aGlzOgoKLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLQojIS91c3IvYmluL2Vudgp3aGF0ZXZlcgotLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tCgpUaGlzIHJlc3VsdHMgaW4gYW4gZW5kbGVzcyAnZXhlY3ZlJyByZWN1cnNpb24gKGlm
IHRoYXQncyB0aGUgd29yZCksIHBlZ2dpbmcgdGhlIENQVS4KClRoZSBwcmVmZXJyZWQgYmVoYXZp
b3Igd291bGQgYmUgc29tZXRoaW5nIGxpa2UgYSBkaWFnbm9zdGljLCBmb2xsb3dlZCBieSBpbW1l
ZGlhdGUgZXhpdCB3aXRoIGFuIGVycm9yIHJlc3VsdC4KClJlZ2FyZHMsCk1pa2U=


--b1_85cf60dbd0638572be671de6246784a9
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: base64

PGRpdj5PbmUgb2YgbXkgdXNlcnMgdW53aXR0aW5nbHkgc3R1bWJsZWQgdXBvbiB0aGUgbW9zdCBk
ZWxpZ2h0ZnVsICdlbnYnIGJ1Zy4mbmJzcDsgSXQgc2VlbXMgdG8gYmUgcHJlc2VudCBpbiBhIGNv
dXBsZSBvZiBwcmV0dHkgcmVjZW50IGRpc3RyaWJ1dGlvbnMuPGJyPjwvZGl2PjxkaXY+PGJyPjwv
ZGl2PjxkaXY+VHJ5IHRoaXM6PGJyPjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+LS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLTwvZGl2PjxkaXY+IyEvdXNyL2Jpbi9lbnY8YnI+PC9kaXY+PGRp
dj53aGF0ZXZlcjwvZGl2PjxkaXY+LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTxicj48L2Rp
dj48ZGl2Pjxicj48L2Rpdj48ZGl2PlRoaXMgcmVzdWx0cyBpbiBhbiBlbmRsZXNzICdleGVjdmUn
IHJlY3Vyc2lvbiAoaWYgdGhhdCdzIHRoZSB3b3JkKSwgcGVnZ2luZyB0aGUgQ1BVLjxicj48L2Rp
dj48ZGl2Pjxicj48L2Rpdj48ZGl2PlRoZSBwcmVmZXJyZWQgYmVoYXZpb3Igd291bGQgYmUgc29t
ZXRoaW5nIGxpa2UgYSBkaWFnbm9zdGljLCBmb2xsb3dlZCBieSBpbW1lZGlhdGUgZXhpdCB3aXRo
IGFuIGVycm9yIHJlc3VsdC48L2Rpdj48ZGl2IGNsYXNzPSJwcm90b25tYWlsX3NpZ25hdHVyZV9i
bG9jayBwcm90b25tYWlsX3NpZ25hdHVyZV9ibG9jay1lbXB0eSI+PGRpdiBjbGFzcz0icHJvdG9u
bWFpbF9zaWduYXR1cmVfYmxvY2stdXNlciBwcm90b25tYWlsX3NpZ25hdHVyZV9ibG9jay1lbXB0
eSI+PGJyPjwvZGl2PjxkaXYgY2xhc3M9InByb3Rvbm1haWxfc2lnbmF0dXJlX2Jsb2NrLXByb3Rv
biBwcm90b25tYWlsX3NpZ25hdHVyZV9ibG9jay1lbXB0eSI+PGJyPjwvZGl2PjwvZGl2PjxkaXY+
PGJyPjwvZGl2PjxkaXY+UmVnYXJkcyw8YnI+PC9kaXY+PGRpdj5NaWtlPGJyPjwvZGl2Pg==



--b1_85cf60dbd0638572be671de6246784a9--
Acknowledgement sent to Michael Coleman <michael.karl.coleman@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-coreutils@HIDDEN. Full text available.
Report forwarded to bug-coreutils@HIDDEN:
bug#37864; Package coreutils. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 25 Nov 2019 12:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.