[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bash security issue
|
From: |
Eric Blake |
|
Subject: |
Re: Bash security issue |
|
Date: |
Thu, 25 Sep 2014 11:42:33 -0600 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 |
On 09/25/2014 11:21 AM, Nick Bowler wrote:
> On 2014-09-25 08:55 -0600, Eric Blake wrote:
>> On 09/25/2014 07:51 AM, Bob Friesenhahn wrote:
>>> It may be that some users of 'autoconf' will be at risk due to the dire
>>> bash security bug described at
>>> "http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/";.
>>>
>>> Take care that the environment is carefully vetted.
>>
>> There's nothing that ./configure can do to avoid the buggy bash, but it
>> may indeed be worth patching autoconf to generate configure scripts that
>> issue a loud warning if the buggy shell is detected on the user's
>> system. I'll look into doing that.
>
> The most surprising thing I learned from this whole ordeal is that
> there are strings consisting entirely of printable characters that
> are not portable to store in exported shell variables.
And _that's_ what I want changed, by proposing that bash use 'f()=...'
rather than 'f=() {...' as the magic it uses for exporting functions
from parent to child.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
- Re: Bash security issue,
Eric Blake <=
- Re: Bash security issue, Linda Walsh, 2014/09/25
- Re: Bash security issue, Eric Blake, 2014/09/25
- Re: Bash security issue, Linda Walsh, 2014/09/25
- Re: Bash security issue, lolilolicon, 2014/09/26
- Re: Bash security issue, Zack Weinberg, 2014/09/26
- Re: Bash security issue, Eric Blake, 2014/09/26
- Re: Bash security issue, Steve Simmons, 2014/09/26
- Re: Bash security issue, Greg Wooledge, 2014/09/26
- Re: Bash security issue, Paul Smith, 2014/09/26
- Re: Bash security issue, Chet Ramey, 2014/09/27