[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bash security issue
From: |
Eric Blake |
Subject: |
Re: Bash security issue |
Date: |
Mon, 29 Sep 2014 07:13:48 -0600 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 |
On 09/29/2014 05:19 AM, Ralf Corsepius wrote:
> On 09/25/2014 05:53 PM, Eric Blake wrote:
>
>> Huh? There is no wasted effort in teaching configure scripts to warn
>> users that they are running on an unpatched vulnerable system. Just
>> because a fix may be available doesn't mean everyone is running the fix.
>
> I do not see any sense in this at all, unless the bash bug itself would
> impact configure scripts themselves.
But it MIGHT impact configure scripts. One of the goals of configure is
to 'export' variables into the build environment prior to calling
config.status recipes. The whole point of the Shell Shock bug is that
there are some values that you cannot safely export, because doing so
risks your child misbehaving. As we cannot predict which child
processes will be run during config.status, configure scripts may indeed
be vulnerable.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
- Bash security issue, Bob Friesenhahn, 2014/09/25
- Re: Bash security issue, Eric Blake, 2014/09/25
- Re: Bash security issue, Eric Blake, 2014/09/25
- Re: Bash security issue, Shawn H Corey, 2014/09/25
- Re: Bash security issue, Ralf Corsepius, 2014/09/29
- Re: Bash security issue,
Eric Blake <=
- Re: Bash security issue, Ralf Corsepius, 2014/09/29
- Re: Bash security issue, Paul Eggert, 2014/09/29
- Re: Bash security issue, Henrique de Moraes Holschuh, 2014/09/29
- Re: Bash security issue, Eric Blake, 2014/09/29
- Re: Bash security issue, Nick Bowler, 2014/09/29
Re: Bash security issue, Bob Friesenhahn, 2014/09/25
Re: Bash security issue, Nick Bowler, 2014/09/25