oss-sec mailing list archives
Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability)
From: Peter Bex <Peter.Bex () xs4all nl>
Date: Fri, 26 Sep 2014 20:13:15 +0200
On Fri, Sep 26, 2014 at 12:07:34PM -0600, Kurt Seifried wrote:
This is a classic case of "yes the correct thing to do is..." but the reality is "we should fix this centrally rather than try to make everyone do the right thing (aka boiling the ocean)". This is like tmp vulns, it's 2014, the solution for tmp vulns is polyinstantiated /tmp per user, and per application /tmp dirs in addition to this. Solve it once centrally (e.g. in PAM/systemd) and boom, done. We should always try to do the best/safest thing because most devs are going to try to do the most insanely dangerous thing.
That's the first sensible thing I've read on this whole topic :) Cheers, Peter -- http://www.more-magic.net
Current thread:
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability), (continued)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Christos Zoulas (Sep 27)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Loganaden Velvindron (Sep 27)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Guido Berhoerster (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Mark R Bannister (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Simon McVittie (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Rich Felker (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Kurt Seifried (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Rich Felker (Sep 27)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Rich Felker (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Rich Felker (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Kurt Seifried (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Peter Bex (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Kurt Seifried (Sep 26)