[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security Vulnerability Reporting

From: Eric Blake
Subject: Re: Security Vulnerability Reporting
Date: Fri, 26 Feb 2016 09:02:03 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0

On 02/26/2016 07:54 AM, Travis Garrell wrote:
> Good Morning/Afternoon/Evening,
> Is there a set process in place for reporting security vulnerabilities
> against bash? If so, what might that process be?

Very few bugs in bash are security vulnerabilities (shellshock being the
obvious exception).  Yes, bash has bugs, but in most cases, what people
think are security bugs in bash are actually poorly-written shell
functions that crash for the user, but which can't exploit bash to
escalate the user's privileges.

So unless you are dead certain you have another shellshock equivalent on
your hands (where bash could be coerced into running arbitrary code that
was NOT part of the shell script, in such a way that anyone using bash
as /bin/sh via system() calls made those programs become an escalation
point), then posting your example to this list is probably okay, at
which point we can confirm that it is not a security bug.

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]