[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bash security issue

From: Eric Blake
Subject: Re: Bash security issue
Date: Thu, 25 Sep 2014 11:42:33 -0600
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0

On 09/25/2014 11:21 AM, Nick Bowler wrote:
> On 2014-09-25 08:55 -0600, Eric Blake wrote:
>> On 09/25/2014 07:51 AM, Bob Friesenhahn wrote:
>>> It may be that some users of 'autoconf' will be at risk due to the dire
>>> bash security bug described at
>>> "http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/";.
>>> Take care that the environment is carefully vetted.
>> There's nothing that ./configure can do to avoid the buggy bash, but it
>> may indeed be worth patching autoconf to generate configure scripts that
>> issue a loud warning if the buggy shell is detected on the user's
>> system.  I'll look into doing that.
> The most surprising thing I learned from this whole ordeal is that
> there are strings consisting entirely of printable characters that
> are not portable to store in exported shell variables.

And _that's_ what I want changed, by proposing that bash use 'f()=...'
rather than 'f=() {...' as the magic it uses for exporting functions
from parent to child.

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]