Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability)

[Peter Bex <Peter.Bex () xs4all nl>]

On Fri, Sep 26, 2014 at 12:07:34PM -0600, Kurt Seifried wrote:
> This is a classic case of "yes the correct thing to do is..." but the
> reality is "we should fix this centrally rather than try to make
> everyone do the right thing (aka boiling the ocean)". This is like tmp
> vulns, it's 2014, the solution for tmp vulns is polyinstantiated /tmp
> per user, and per application /tmp dirs in addition to this. Solve it
> once centrally (e.g. in PAM/systemd) and boom, done.
>
> We should always try to do the best/safest thing because most devs are
> going to try to do the most insanely dangerous thing.

That's the first sensible thing I've read on this whole topic :)

Cheers,
Peter
-- 
http://www.more-magic.net