|
| From: | Bob Friesenhahn |
| Subject: | Re: Bash security issue |
| Date: | Thu, 25 Sep 2014 11:14:30 -0500 (CDT) |
| User-agent: | Alpine 2.01 (GSO 1266 2009-07-14) |
On Thu, 25 Sep 2014, Eric Blake wrote:
On 09/25/2014 07:51 AM, Bob Friesenhahn wrote:It may be that some users of 'autoconf' will be at risk due to the dire bash security bug described at "http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/";. Take care that the environment is carefully vetted.There's nothing that ./configure can do to avoid the buggy bash, but it may indeed be worth patching autoconf to generate configure scripts that issue a loud warning if the buggy shell is detected on the user's system. I'll look into doing that.
As far as I can tell, the main issue would be for free software sites which provide services via CGI scripts which expose CGI environment variables to scripts running bash. It does not matter if the initial CGI script is based on Python, Perl, or something else if a script running bash eventually gets invoked with the problematic environment variables. At least that is my understanding.
There are also issues when using ssh because ssh can invoke remote scripts on behalf of the user while passing local environment variables.
Bob -- Bob Friesenhahn address@hidden, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
| [Prev in Thread] | Current Thread | [Next in Thread] |