[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security Vulnerability Reporting

From: Chet Ramey
Subject: Re: Security Vulnerability Reporting
Date: Fri, 26 Feb 2016 11:22:38 -0500
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.6.0

On 2/26/16 11:13 AM, Dan Douglas wrote:
> On Fri, Feb 26, 2016 at 10:02 AM, Eric Blake <address@hidden> wrote:
>> Very few bugs in bash are security vulnerabilities (shellshock being the
>> obvious exception).  Yes, bash has bugs, but in most cases, what people
>> think are security bugs in bash are actually poorly-written shell
>> functions that crash for the user, but which can't exploit bash to
>> escalate the user's privileges.
> All true. To be a genuine issue it usually has to be something that
> causes a security problem in programs that utilize bash independent of
> the script being run, or which exploits some common aspect of any script
> that couldn't have been foreseen. The script is usually to blame.

The only real security vulnerability was the original exported-functions
shellshock bug.  The rest of the bugs that were subsequently discovered
were not vulnerabilities per se: you could crash the shell but not obtain
elevated privileges.

``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    address@hidden    http://cnswww.cns.cwru.edu/~chet/

reply via email to

[Prev in Thread] Current Thread [Next in Thread]