Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 25 Sep 2014 13:34:51 -0400
From: christos@...las.com (Christos Zoulas)
To: oss-security@...ts.openwall.com
Cc: chet.ramey@...e.edu
Subject: Re: CVE-2014-6271: remote code execution through bash

On Sep 25,  8:15pm, solar@...nwall.com (Solar Designer) wrote:
-- Subject: Re: [oss-security] CVE-2014-6271: remote code execution through b

| There's obviously a trade-off here.  I agree that keeping the error
| messages is the right thing if we can keep them contained to local usage
| (and local attack) scenarios under typical setups.  I think applying
| Florian's prefix-suffix patch will achieve that (besides its main goal
| of actually mitigating most attacks).
| 
| What do you think of distros' going with Florian's prefix-suffix patch
| right now?  I think it breaks function imports/exports between
| pre-patch and post-patch bash versions, but keeps them intact for
| patched versions.  Right?  If so, this sounds acceptable for immediate
| use by distros.  Do you agree?

I think that at this point the only salvation is to disable function
import by default and provide a command line flag and a "set" flag
to explicitly enable it (so that scripts that depend on it can
easily be fixed). It is not a widely used feature, and both subshells
and sourced scripts don't need it or use it. It might have seemed
like a good idea a couple of decades ago, but it needs to go.

christos

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.