Re: Bash security issue

[Eric Blake]

On 09/29/2014 09:05 AM, Henrique de Moraes Holschuh wrote:
> On Mon, 29 Sep 2014, Paul Eggert wrote:
>> which is caused by a widely-distributed Bash fix that overreacted to
>> the bug and is causing me more problems than the bug did.  Let's not
>> do something like this with Autoconf.
> 
> Hmm, that "overreaction" is currently mitigating two undisclosed RCE bugs in
> bash:
> 
> http://lcamtuf.blogspot.co.nz/2014/09/bash-bug-apply-unofficial-patch-now.html
> http://www.itnews.com.au/News/396256,further-flaws-render-shellshock-patch-ineffective.aspx
> 
> Which is going to trigger a third round of shellshock security updates
> (because mitigated is not fixed) soon enough, at which point a lot of people
> might well decide to patch bash to remove the functionality entirely.
> NetBSD and FreeBSD already did.
> 
> But this doesn't affect autoconf, really.
> 
> What _could_ affect autoconf is that bash can add crap to the environment
> which is illegal under POSIX, because bash functions are not as restricted
> as POSIX environment variables.  Sorry, I don't have the link to the
> relevant oss-sec post right now.

Where does POSIX state that environment variable names must be shell
identifiers?  Bash is doing no worse than what 'env' could already do.
ALL programs must be prepared to ignore garbage names in the environment.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

signature.asc
Description: OpenPGP digital signature