oss-sec mailing list archives
Re: CVE-2014-6271: remote code execution through bash
From: christos () zoulas com (Christos Zoulas)
Date: Thu, 25 Sep 2014 13:34:51 -0400
On Sep 25, 8:15pm, solar () openwall com (Solar Designer) wrote: -- Subject: Re: [oss-security] CVE-2014-6271: remote code execution through b | There's obviously a trade-off here. I agree that keeping the error | messages is the right thing if we can keep them contained to local usage | (and local attack) scenarios under typical setups. I think applying | Florian's prefix-suffix patch will achieve that (besides its main goal | of actually mitigating most attacks). | | What do you think of distros' going with Florian's prefix-suffix patch | right now? I think it breaks function imports/exports between | pre-patch and post-patch bash versions, but keeps them intact for | patched versions. Right? If so, this sounds acceptable for immediate | use by distros. Do you agree? I think that at this point the only salvation is to disable function import by default and provide a command line flag and a "set" flag to explicitly enable it (so that scripts that depend on it can easily be fixed). It is not a widely used feature, and both subshells and sourced scripts don't need it or use it. It might have seemed like a good idea a couple of decades ago, but it needs to go. christos
Current thread:
- Re: Healing the bash fork, (continued)
- Re: Healing the bash fork Gennady Kupava (Sep 30)
- Re: Healing the bash fork gremlin (Sep 30)
- Re: Healing the bash fork Kobrin, Eric (Sep 29)
- Re: Healing the bash fork Michal Zalewski (Sep 29)
- Re: Healing the bash fork Kobrin, Eric (Sep 30)
- Re: Re: Healing the bash fork Todd C. Miller (Sep 29)
- atd (was: Re: [oss-security] Re: Healing the bash fork) Seth Arnold (Sep 29)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Christos Zoulas (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Tavis Ormandy (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Anthony Liguori (Sep 24)