autoconf
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bash security issue

From: Eric Blake
Subject: Re: Bash security issue
Date: Thu, 25 Sep 2014 08:59:04 -0600
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 
On 09/25/2014 08:55 AM, Eric Blake wrote:
> On 09/25/2014 07:51 AM, Bob Friesenhahn wrote:
>> It may be that some users of 'autoconf' will be at risk due to the dire
>> bash security bug described at
>> "http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/";.
>>
>> Take care that the environment is carefully vetted.
> 
> There's nothing that ./configure can do to avoid the buggy bash,

I should explain that: the bash bug affects bash startup, _before_ it
starts running any commands in your script.  So if you have a buggy
shell, and use it to invoke your script, then by the time your script is
running, the bug has already happened.

I also think autoconf has a mitigating factor - the _reason_ the bash
bug is such a huge security bug is that there are services that can be
easily fooled into defining user-defined environment variables and
handing it off to the shell.  The escalation comes into play when you
get a service running as a different user or on a different machine to
do that on your behalf.  But autoconf generates configure scripts which
are designed to run on a local machine under the local user's
credentials; while the bug is still ugly, configure's use of the shell
is not crossing user/machine boundaries, and thus is probably not
something that can be exploited for privilege escalation in a configure
script alone.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]