oss-sec mailing list archives
Re: Fwd: Non-upstream patches for bash
From: Michael Samuel <mik () miknet net>
Date: Sun, 28 Sep 2014 21:13:22 +1000
On 28 September 2014 01:06, Solar Designer <solar () openwall com> wrote:
This also means that we should treat any programs that generate bash scripts with (sanitized) untrusted input in them as unsafe, and patch those to use safer mechanisms to pass (sanitized) inputs to scripts (preferably use env vars with fixed names).
The problem with this approach is that a sh is useful for both system(3) and wrapping things like java. This problem came up because bash was parsing environment variables even when the script wasn't referencing them. I don't think anyone lets network users set completely arbitrary environment variable names. I think Debian's approach of dash as /bin/sh, and bash as an interactive shell is the right balance. I switched a Fedora box to using dash as /bin/sh, and so far have only logged one bug for something that broke, and it pretty much deserved to break (BZ #1146733). Regards, Michael
Current thread:
- Re: Fwd: Non-upstream patches for bash, (continued)
- Re: Fwd: Non-upstream patches for bash Huzaifa Sidhpurwala (Sep 25)
- Re: Fwd: Non-upstream patches for bash Michal Zalewski (Sep 25)
- Re: Fwd: Non-upstream patches for bash Chet Ramey (Sep 25)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 26)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 26)
- Re: Fwd: Non-upstream patches for bash Michal Zalewski (Sep 26)
- Re: Fwd: Non-upstream patches for bash Roman Drahtmueller (Sep 27)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 27)
- Re: Fwd: Non-upstream patches for bash Roman Drahtmueller (Sep 27)
- Re: Fwd: Non-upstream patches for bash Steve Jones (Sep 27)
- Re: Fwd: Non-upstream patches for bash Michael Samuel (Sep 28)
- Re: Fwd: Non-upstream patches for bash Sven Kieske (Sep 28)
- Re: [langsec-discuss] [oss-security] Fwd: Non-upstream patches for bash Paul Burchard (Sep 29)
- Re: Fwd: Non-upstream patches for bash Bernhard Hermann (Sep 29)
- Re: Fwd: Non-upstream patches for bash Ed Prevost (Sep 29)
- Re: Fwd: Non-upstream patches for bash Huzaifa Sidhpurwala (Sep 25)
- Re: Fwd: Non-upstream patches for bash Jakub Wilk (Sep 29)
- Re: Fwd: Non-upstream patches for bash cve-assign (Sep 29)
- Re: Fwd: Non-upstream patches for bash Chet Ramey (Sep 29)
- Re: [security-vendor] Re: [oss-security] Fwd: Non-upstream patches for bash Mark Hatle (Sep 26)