I don't really consider these to be bugs in libguestfs, but a few
places are affected by the infamous bash bug.
* virt-edit passes the '-e' script to Perl using an environment
variable, and runs Perl using the shell, so:
$ virt-edit -a /tmp/fedora-20.img /etc/motd -e '() { :; } ; echo hello'
hello
Mitigating this is that you shouldn't really be passing untrusted Perl
scripts to virt-edit in the first place, since Perl itself can do
pretty much anything.
* the virt-builder/virt-customize --edit flags are similarly affected:
$ virt-customize --edit '/etc/motd:() { :; } ; echo hello' -a /tmp/fedora-20.img
[ 0.0] Examining the guest ...
[ 6.0] Setting a random seed
[ 6.0] Editing: /etc/motd
hello
[ 6.0] Finishing off
* guestfish 'edit' command, same as above
* The guestfish 'event' command lets you specify an environment
variable that is later passed to bash.
* Probably most seriously, the library passes TERM from its
environment through to the appliance, and thence through to the
daemon, which of course runs shell commands all over the place. TERM
may contain any characters *except* spaces, which may make this route
impossible to exploit, although I wouldn't be sure.
Anyway, best thing is to update bash.
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
Read my programming and virtualization blog:
http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html