Full Disclosure mailing list archives

Re: Critical bash vulnerability CVE-2014-6271

From: Seth Arnold <seth.arnold () canonical com>
Date: Thu, 25 Sep 2014 15:10:08 -0700

On Thu, Sep 25, 2014 at 01:54:31PM -0700, Paul Vixie wrote:

no. the problem occurs when /bin/sh is bash, or when a network invokable
script begins with the line #!/bin/bash. it has nothing to do with the
user's shell. rather, it's the shell used by popen() and system() and of
course (execl, execlp, execle, execv, execvp, execvpe), or, it's the
explicitly called shell named at the top of the script itself.


Which systems go through /bin/sh for the exec*() family of functions?

Thanks

Attachment: signature.asc
Description: Digital signature


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Re: Critical bash vulnerability CVE-2014-6271, (continued)
- - Re: Critical bash vulnerability CVE-2014-6271 Tony Arcieri (Sep 25)
    - Re: Critical bash vulnerability CVE-2014-6271 (slightly OT logo discussion) Ben Lincoln (F7EFC8C9 - FD) (Sep 26)
    - Re: Critical bash vulnerability CVE-2014-6271 Matt Hazinski (Sep 26)
- Re: Critical bash vulnerability CVE-2014-6271 Paul Vixie (Sep 25)
  - Re: Critical bash vulnerability CVE-2014-6271 Yvan Janssens (Sep 25)
  - Re: Critical bash vulnerability CVE-2014-6271 g () 1337 io (Sep 25)
- Re: Critical bash vulnerability CVE-2014-6271 Evan Teitelman (Sep 25)
  - Re: Critical bash vulnerability CVE-2014-6271 Godin, Erik (Sep 25)
  - Re: Critical bash vulnerability CVE-2014-6271 Tim (Sep 25)
    - Re: Critical bash vulnerability CVE-2014-6271 Paul Vixie (Sep 25)
    - Re: Critical bash vulnerability CVE-2014-6271 Seth Arnold (Sep 25)
    - Re: Critical bash vulnerability CVE-2014-6271 Paul Vixie (Sep 25)
    - Message not available
    - Re: Critical bash vulnerability CVE-2014-6271 Paul Vixie (Sep 25)