|
From: | Ralf Corsepius |
Subject: | Re: Bash security issue |
Date: | Mon, 29 Sep 2014 15:24:30 +0200 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 |
On 09/29/2014 03:13 PM, Eric Blake wrote:
On 09/29/2014 05:19 AM, Ralf Corsepius wrote:On 09/25/2014 05:53 PM, Eric Blake wrote:Huh? There is no wasted effort in teaching configure scripts to warn users that they are running on an unpatched vulnerable system. Just because a fix may be available doesn't mean everyone is running the fix.I do not see any sense in this at all, unless the bash bug itself would impact configure scripts themselves.But it MIGHT impact configure scripts. One of the goals of configure is to 'export' variables into the build environment prior to calling config.status recipes.
Yes, but only those which are relevant. Not any arbitrary ones.
The whole point of the Shell Shock bug is that there are some values that you cannot safely export, because doing so risks your child misbehaving. As we cannot predict which child processes will be run during config.status, configure scripts may indeed be vulnerable.
Do you have proof or is this just paranoia/hysteria?I am inclined to believe your action to be "hyperactivity" addressing a temporary issue, which soon will be non important but be carried around ad infinitum until nobody recalls the origin. It also won't help the 1000s of existing generated configure scripts.
Ralf
[Prev in Thread] | Current Thread | [Next in Thread] |