bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2014-7169 vs CVE-2014-6271


From: Alan Wild
Subject: Re: CVE-2014-7169 vs CVE-2014-6271
Date: Fri, 26 Sep 2014 12:06:41 -0500

Not that I get a "vote", but if I did... I'm completely supportive of
dropping function "importing" support when bash is invoked as /bin/sh (or
--posix).  This is clearly bash-specific functionality that isn't needed
for POSIX-compliance.  Seams like a much more reasonable middle-ground then
pulling it altogether.

-Alan

On Fri, Sep 26, 2014 at 11:58 AM, Alan Wild <alan@madllama.net> wrote:

> I've been searching for some clarification on these two "fixes" and I'm
> utterly confused.  I've been lead to believe RedHat's first patch (6271) is
> based on code from Chet that just causes bash to reject functions where
> code appears outside of the function body.
>
> However, this patch was labeled as "insufficient" and 7169 now appears to
> completely remove the ability to receive function definitions from the
> environment.
>
> I have production code that requires function exporting that's going to be
> broken by 7169.  Is this some knee-jerk reaction by just RedHat or is this
> a revised patch from Chet marking a change in bash functionality?
>
> My company's cybersecurity folks are pushing to install 7169 as soon as
> possible and while I'm trying to push back I need to know if this a
> strategic change in direction for bash, RHEL, or what, exactly.  (Because I
> need to know how extensively I need to reachitect my application).
>
> -Alan
>
> --
> alan@madllama.net http://humbleville.blogspot.com
>



-- 
alan@madllama.net http://humbleville.blogspot.com


reply via email to

[Prev in Thread] Current Thread [Next in Thread]