oss-sec mailing list archives
Re: CVE-2014-6271: remote code execution through bash
From: Solar Designer <solar () openwall com>
Date: Thu, 25 Sep 2014 21:58:13 +0400
On Thu, Sep 25, 2014 at 01:34:51PM -0400, Christos Zoulas wrote:
I think that at this point the only salvation is to disable function import by default and provide a command line flag and a "set" flag to explicitly enable it (so that scripts that depend on it can easily be fixed). It is not a widely used feature, and both subshells and sourced scripts don't need it or use it. It might have seemed like a good idea a couple of decades ago, but it needs to go.
Good idea to also add a "set" flag. Thanks! Alexander
Current thread:
- Re: Healing the bash fork, (continued)
- Re: Healing the bash fork gremlin (Sep 30)
- Re: Healing the bash fork Kobrin, Eric (Sep 29)
- Re: Healing the bash fork Michal Zalewski (Sep 29)
- Re: Healing the bash fork Kobrin, Eric (Sep 30)
- Re: Re: Healing the bash fork Todd C. Miller (Sep 29)
- atd (was: Re: [oss-security] Re: Healing the bash fork) Seth Arnold (Sep 29)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Christos Zoulas (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Tavis Ormandy (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Anthony Liguori (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)