On 9/26/2014 11:51 AM, Bryan Drewery wrote:
> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
>> On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery <bdrew...@freebsd.org> wrote:
>>> On 9/26/2014 2:36 AM, Steve Clement wrote:
>>>> Dear all,
>>>> In case you urgently need to go the manual route, here is one way to 
>>>> really patch your systems:
>>>> https://www.circl.lu/pub/tr-27/
>>>> Until the patch is in the bash upstream… (which it might be by now)
>>>> Take care,
>>> The port has had the fixes since yesterday. The packages are building.
>>> --
>>> Regards,
>>> Bryan Drewery
>> Apparently, the full fix is still not delivered, accordingly to this:
>> http://seclists.org/oss-sec/2014/q3/741
>> Kind regards,
>> Bartek Rutkowski
> I'm pretty sure they call that a "feature". This is a bit different.
> This is modifying the command used to call a function as the feature
> intends. The vulnerability was that just parsing the environment would
> execute the code.
> TL;DR; You should cleanse your environment and only accept valid input
> to work around this feature. The bash developer (Chet) said he would not
> remove it by default, at least a few days ago.

There is more discussion here http://seclists.org/oss-sec/2014/q3/746

Anyway I still think this is not anything to panic about. However I am
making the decision to disable this feature entirely in our bash port by
default. I will use christos@NetBSD's patch to add a --import-functions
flag to bash. The port will allow selecting the default at build time.
Ours will have it disabled. I have no idea what the impact is on this
but it is the safest route for now; scripts passing functions in
environment is crazy.

Bryan Drewery

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to