Date: Thu, 25 Sep 2014 13:34:51 -0400 From: christos@...las.com (Christos Zoulas) To: oss-security@...ts.openwall.com Cc: chet.ramey@...e.edu Subject: Re: CVE-2014-6271: remote code execution through bash On Sep 25, 8:15pm, solar@...nwall.com (Solar Designer) wrote: -- Subject: Re: [oss-security] CVE-2014-6271: remote code execution through b | There's obviously a trade-off here. I agree that keeping the error | messages is the right thing if we can keep them contained to local usage | (and local attack) scenarios under typical setups. I think applying | Florian's prefix-suffix patch will achieve that (besides its main goal | of actually mitigating most attacks). | | What do you think of distros' going with Florian's prefix-suffix patch | right now? I think it breaks function imports/exports between | pre-patch and post-patch bash versions, but keeps them intact for | patched versions. Right? If so, this sounds acceptable for immediate | use by distros. Do you agree? I think that at this point the only salvation is to disable function import by default and provide a command line flag and a "set" flag to explicitly enable it (so that scripts that depend on it can easily be fixed). It is not a widely used feature, and both subshells and sourced scripts don't need it or use it. It might have seemed like a good idea a couple of decades ago, but it needs to go. christos
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ