[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security Vulnerability Reporting
|
From: |
Eric Blake |
|
Subject: |
Re: Security Vulnerability Reporting |
|
Date: |
Fri, 26 Feb 2016 09:02:03 -0700 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 |
On 02/26/2016 07:54 AM, Travis Garrell wrote:
> Good Morning/Afternoon/Evening,
>
> Is there a set process in place for reporting security vulnerabilities
> against bash? If so, what might that process be?
Very few bugs in bash are security vulnerabilities (shellshock being the
obvious exception). Yes, bash has bugs, but in most cases, what people
think are security bugs in bash are actually poorly-written shell
functions that crash for the user, but which can't exploit bash to
escalate the user's privileges.
So unless you are dead certain you have another shellshock equivalent on
your hands (where bash could be coerced into running arbitrary code that
was NOT part of the shell script, in such a way that anyone using bash
as /bin/sh via system() calls made those programs become an escalation
point), then posting your example to this list is probably okay, at
which point we can confirm that it is not a security bug.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature