nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: update

From: Jim Popovitch <jimpop () gmail com>
Date: Wed, 24 Sep 2014 18:50:05 -0400
On Sep 24, 2014 6:39 PM, "Michael Thomas" <mike () mtcc com> wrote:



On 9/24/14, 3:27 PM, Jim Popovitch wrote:


On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley <redkrieg () gmail com>

wrote:


The scope of the issue isn't limited to SSH, that's just a popular
example people are using.  Any program calling bash could potentially
be vulnerable.


Agreed.  My point was that bash is not all that popular on
debian/ubuntu for accounts that would be running public facing
services that would be processing user defined input (www-data,
cgi-bin, list, irc, lp, mail, etc).  Sure some non-privileged user
could host their own cgi script on >:1024, but that's not really a
critical "stop the presses!!" upgrade issue, imho.




This is already made it to /. so I'm not sure why Randy was being so hush

hush...


But my read is that this could affect anything that calls bash to do

processing, like

handing off to CGI by putting in headers to p0wn the box. Also: bash is

incredibly

pervasive though any unix disto, in not at all obvious places, so I

wouldn't be

complacent about this at all.

Mike


If someone is already invoking #!/bin/bash from a cgi, then they are
already doing it wrong (bash has massive bloat/overhead for a CGI script).
But I do agree, it's hard to know exactly what idiots do.  :-)

-Jim P.
Previous By Date Next
Previous By Thread Next

Current thread: