Re: Bash security issue

[Henrique de Moraes Holschuh]

On Mon, 29 Sep 2014, Paul Eggert wrote:
> which is caused by a widely-distributed Bash fix that overreacted to
> the bug and is causing me more problems than the bug did.  Let's not
> do something like this with Autoconf.

Hmm, that "overreaction" is currently mitigating two undisclosed RCE bugs in
bash:

http://lcamtuf.blogspot.co.nz/2014/09/bash-bug-apply-unofficial-patch-now.html
http://www.itnews.com.au/News/396256,further-flaws-render-shellshock-patch-ineffective.aspx

Which is going to trigger a third round of shellshock security updates
(because mitigated is not fixed) soon enough, at which point a lot of people
might well decide to patch bash to remove the functionality entirely.
NetBSD and FreeBSD already did.

But this doesn't affect autoconf, really.

What _could_ affect autoconf is that bash can add crap to the environment
which is illegal under POSIX, because bash functions are not as restricted
as POSIX environment variables.  Sorry, I don't have the link to the
relevant oss-sec post right now.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh