autoconf-patches
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] docs: mention that not all values can be exported


From: Eric Blake
Subject: [PATCH] docs: mention that not all values can be exported
Date: Sat, 27 Sep 2014 18:26:43 -0600

There has been a LOT of news about bash's Shell Shock bug lately.
Document some of the ramifications it has on portable scripting.

* doc/autoconf.texi (Limitations of Builtins) <export>: Add some
details about Shell Shock CVE-2014-6271.

Signed-off-by: Eric Blake <address@hidden>
---

I'm still debating about adding a sniffer to configure scripts that
warns users if they still have a vulnerable bash on their system,
but that's a bigger project, and makes the most sense only if I can
releast autoconf 2.70 in the near future.  But I'd like to apply
this patch no matter what.

 doc/autoconf.texi | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/doc/autoconf.texi b/doc/autoconf.texi
index e2137ae..b3fabfd 100644
--- a/doc/autoconf.texi
+++ b/doc/autoconf.texi
@@ -17668,6 +17668,15 @@ Limitations of Builtins
 bar
 @end example

+Posix requires @command{export} to work with any arbitrary value for the
+contents of the variable being exported, but some versions of Bash
+(including all builds prior to September 2014) are vulnerable to the
+``Shell Shock'' remote execution bug (CVE-2014-6271 and friends), where
+exporting a variable with the initial substring of @code{() @{} could
+trigger a number of undesirable behaviors at the startup of a child
+bash.  Bash has an extension that allows the export of function
+definitions, but this is not portable to other shells.
+
 @item @command{false}
 @c ------------------
 @prindex @command{false}
-- 
1.9.3




reply via email to

[Prev in Thread] Current Thread [Next in Thread]