[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Does bash treat segment fault causing by scripts as security bugs ?
|
From: |
Eric Blake |
|
Subject: |
Re: Does bash treat segment fault causing by scripts as security bugs ? |
|
Date: |
Wed, 15 Feb 2017 08:34:23 -0600 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0 |
On 02/15/2017 07:01 AM, Pierre Gaston wrote:
> If you can run arbitrary code in a shell (or even if your script doesn't
> validate its input), your security is already compromised.
Or put another way, bash CVEs are rare, and exist primarily when the
shell can be made to run arbitrary code without you being able to
prevent it. Shellshock was a case where bash could execute code before
your script began (hence a CVE), but infinite recursion is a case where
avoiding your script avoids the crash (therefore the bug is your script,
not bash, and not worth a CVE).
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature