Сабж. Подробнее. Немного болтовни от RH, включает векторы атаки Предлагаемый патч (RH)
Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment. The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition. For example, an environment variable setting of
VAR=() { ignored; }; /bin/id
will execute /bin/id when the environment is imported into the bash process. (The process is in a slightly undefined state at this point. The PATH variable may not have been set up yet, and bash could crash after executing /bin/id, but the damage has already happened at this point.)
The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Here is a sample
If you have a username in your authorization header this could also be an attack vector.
Another attack surface is OpenSSH through the use of AcceptEnv variables. As well through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation. This is fire bad.
Это, мягко говоря, СЕРЬЁЗНО.
