[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Should this be this way?
|
From: |
Linda Walsh |
|
Subject: |
Re: Should this be this way? |
|
Date: |
Mon, 18 Mar 2013 15:26:30 -0700 |
|
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.24) Gecko/20100228 Lightning/0.9 Thunderbird/2.0.0.24 Mnenhy/0.7.6.666 |
Chet Ramey wrote:
> On 3/1/13 5:04 PM, Linda Walsh wrote:
>>
>> Chet Ramey wrote:
>>> Your vendor, which may be SuSE, has changed bash and shipped the modified
>>> version.
>> ----
>> Supposedly this has to do with memory corruption problems in
>> 4.2 and the "possibility" that it might come back...
>
> I think you mean bash-3.2. The bug report is five years old. It sounds
> like the SuSE change might be there for quite a while, because, even though
> it's fixed, the problem could always come back. I do wonder why only SuSE
> exhibits the problem.
---
I put forth the possibility that the reason for the bug in the first
place the possibility of some, no longer relevant patch, at that time,
in some other piece of code (perhaps not even in bash, but in some
linking library) causing unpredictable behavior. The idea of carrying around
every patch ever done, didn't seem sound.
FWIW, resolution:
Security team has have reviewed the rbash vector and
consider it not relevant. rbash is not really a security protection
anyway (think perl -e 'system("./a.out");')
Also werner has submitted a bash
that disables the patch for openSUSE Factory.
So it looks like it will be gone after 12.3. I mentioned to them that if
they thought rbash wasn't relevant for them, they could disable building it.