Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 25 Sep 2014 13:34:51 -0400
From: christos@...las.com (Christos Zoulas)
To: oss-security@...ts.openwall.com
Cc: chet.ramey@...e.edu
Subject: Re: CVE-2014-6271: remote code execution through bash

On Sep 25,  8:15pm, solar@...nwall.com (Solar Designer) wrote:
-- Subject: Re: [oss-security] CVE-2014-6271: remote code execution through b

| There's obviously a trade-off here.  I agree that keeping the error
| messages is the right thing if we can keep them contained to local usage
| (and local attack) scenarios under typical setups.  I think applying
| Florian's prefix-suffix patch will achieve that (besides its main goal
| of actually mitigating most attacks).
| 
| What do you think of distros' going with Florian's prefix-suffix patch
| right now?  I think it breaks function imports/exports between
| pre-patch and post-patch bash versions, but keeps them intact for
| patched versions.  Right?  If so, this sounds acceptable for immediate
| use by distros.  Do you agree?

I think that at this point the only salvation is to disable function
import by default and provide a command line flag and a "set" flag
to explicitly enable it (so that scripts that depend on it can
easily be fixed). It is not a widely used feature, and both subshells
and sourced scripts don't need it or use it. It might have seemed
like a good idea a couple of decades ago, but it needs to go.

christos

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ