[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bash security issue
From: |
Henrique de Moraes Holschuh |
Subject: |
Re: Bash security issue |
Date: |
Mon, 29 Sep 2014 12:05:34 -0300 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Mon, 29 Sep 2014, Paul Eggert wrote:
> which is caused by a widely-distributed Bash fix that overreacted to
> the bug and is causing me more problems than the bug did. Let's not
> do something like this with Autoconf.
Hmm, that "overreaction" is currently mitigating two undisclosed RCE bugs in
bash:
http://lcamtuf.blogspot.co.nz/2014/09/bash-bug-apply-unofficial-patch-now.html
http://www.itnews.com.au/News/396256,further-flaws-render-shellshock-patch-ineffective.aspx
Which is going to trigger a third round of shellshock security updates
(because mitigated is not fixed) soon enough, at which point a lot of people
might well decide to patch bash to remove the functionality entirely.
NetBSD and FreeBSD already did.
But this doesn't affect autoconf, really.
What _could_ affect autoconf is that bash can add crap to the environment
which is illegal under POSIX, because bash functions are not as restricted
as POSIX environment variables. Sorry, I don't have the link to the
relevant oss-sec post right now.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
- Re: Bash security issue, (continued)
- Re: Bash security issue, Eric Blake, 2014/09/25
- Re: Bash security issue, Eric Blake, 2014/09/25
- Re: Bash security issue, Shawn H Corey, 2014/09/25
- Re: Bash security issue, Ralf Corsepius, 2014/09/29
- Re: Bash security issue, Eric Blake, 2014/09/29
- Re: Bash security issue, Ralf Corsepius, 2014/09/29
- Re: Bash security issue, Paul Eggert, 2014/09/29
- Re: Bash security issue,
Henrique de Moraes Holschuh <=
- Re: Bash security issue, Eric Blake, 2014/09/29
- Re: Bash security issue, Nick Bowler, 2014/09/29
Re: Bash security issue, Bob Friesenhahn, 2014/09/25
Re: Bash security issue, Nick Bowler, 2014/09/25
- Re: Bash security issue, Eric Blake, 2014/09/25
- Re: Bash security issue, Linda Walsh, 2014/09/25
- Re: Bash security issue, Eric Blake, 2014/09/25
- Re: Bash security issue, Linda Walsh, 2014/09/26
- Re: Bash security issue, lolilolicon, 2014/09/26
- Re: Bash security issue, Zack Weinberg, 2014/09/26