[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bash security issue
From: |
Eric Blake |
Subject: |
Re: Bash security issue |
Date: |
Mon, 29 Sep 2014 10:04:48 -0600 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 |
On 09/29/2014 09:05 AM, Henrique de Moraes Holschuh wrote:
> On Mon, 29 Sep 2014, Paul Eggert wrote:
>> which is caused by a widely-distributed Bash fix that overreacted to
>> the bug and is causing me more problems than the bug did. Let's not
>> do something like this with Autoconf.
>
> Hmm, that "overreaction" is currently mitigating two undisclosed RCE bugs in
> bash:
>
> http://lcamtuf.blogspot.co.nz/2014/09/bash-bug-apply-unofficial-patch-now.html
> http://www.itnews.com.au/News/396256,further-flaws-render-shellshock-patch-ineffective.aspx
>
> Which is going to trigger a third round of shellshock security updates
> (because mitigated is not fixed) soon enough, at which point a lot of people
> might well decide to patch bash to remove the functionality entirely.
> NetBSD and FreeBSD already did.
>
> But this doesn't affect autoconf, really.
>
> What _could_ affect autoconf is that bash can add crap to the environment
> which is illegal under POSIX, because bash functions are not as restricted
> as POSIX environment variables. Sorry, I don't have the link to the
> relevant oss-sec post right now.
Where does POSIX state that environment variable names must be shell
identifiers? Bash is doing no worse than what 'env' could already do.
ALL programs must be prepared to ignore garbage names in the environment.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
- Re: Bash security issue, (continued)
- Re: Bash security issue, Eric Blake, 2014/09/25
- Re: Bash security issue, Shawn H Corey, 2014/09/25
- Re: Bash security issue, Ralf Corsepius, 2014/09/29
- Re: Bash security issue, Eric Blake, 2014/09/29
- Re: Bash security issue, Ralf Corsepius, 2014/09/29
- Re: Bash security issue, Paul Eggert, 2014/09/29
- Re: Bash security issue, Henrique de Moraes Holschuh, 2014/09/29
- Re: Bash security issue,
Eric Blake <=
- Re: Bash security issue, Nick Bowler, 2014/09/29
Re: Bash security issue, Bob Friesenhahn, 2014/09/25
Re: Bash security issue, Nick Bowler, 2014/09/25
- Re: Bash security issue, Eric Blake, 2014/09/25
- Re: Bash security issue, Linda Walsh, 2014/09/25
- Re: Bash security issue, Eric Blake, 2014/09/25
- Re: Bash security issue, Linda Walsh, 2014/09/26
- Re: Bash security issue, lolilolicon, 2014/09/26
- Re: Bash security issue, Zack Weinberg, 2014/09/26
- Re: Bash security issue, Eric Blake, 2014/09/26