Re: Security Vulnerability Reporting
On 2/26/16 11:13 AM, Dan Douglas wrote: > On Fri, Feb 26, 2016 at 10:02 AM, Eric Blake wrote: >> Very few bugs in bash are security vulnerabilities (shellshock being the >> obvious exception). Yes, bash has bugs, but in most cases, what people >> think are security bugs in bash are actually poorly-written shell >> functions that crash for the user, but which can't exploit bash to >> escalate the user's privileges. > > All true. To be a genuine issue it usually has to be something that > causes a security problem in programs that utilize bash independent of > the script being run, or which exploits some common aspect of any script > that couldn't have been foreseen. The script is usually to blame. The only real security vulnerability was the original exported-functions shellshock bug. The rest of the bugs that were subsequently discovered were not vulnerabilities per se: you could crash the shell but not obtain elevated privileges. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/
Re: Security Vulnerability Reporting
On Fri, Feb 26, 2016 at 10:02 AM, Eric Blake wrote: > Very few bugs in bash are security vulnerabilities (shellshock being the > obvious exception). Yes, bash has bugs, but in most cases, what people > think are security bugs in bash are actually poorly-written shell > functions that crash for the user, but which can't exploit bash to > escalate the user's privileges. All true. To be a genuine issue it usually has to be something that causes a security problem in programs that utilize bash independent of the script being run, or which exploits some common aspect of any script that couldn't have been foreseen. The script is usually to blame. -- Dan Douglas
Re: Security Vulnerability Reporting
On Fri, Feb 26, 2016 at 8:54 AM, Travis Garrell wrote: > Is there a set process in place for reporting security vulnerabilities > against bash? If so, what might that process be? Mail the maintainer. See: https://tiswww.case.edu/php/chet/bash/bashtop.html#Bugs Encrypt with: https://tiswww.case.edu/php/chet/gpgkey.asc -- Dan Douglas
Re: Security Vulnerability Reporting
On 02/26/2016 07:54 AM, Travis Garrell wrote: > Good Morning/Afternoon/Evening, > > Is there a set process in place for reporting security vulnerabilities > against bash? If so, what might that process be? Very few bugs in bash are security vulnerabilities (shellshock being the obvious exception). Yes, bash has bugs, but in most cases, what people think are security bugs in bash are actually poorly-written shell functions that crash for the user, but which can't exploit bash to escalate the user's privileges. So unless you are dead certain you have another shellshock equivalent on your hands (where bash could be coerced into running arbitrary code that was NOT part of the shell script, in such a way that anyone using bash as /bin/sh via system() calls made those programs become an escalation point), then posting your example to this list is probably okay, at which point we can confirm that it is not a security bug. -- Eric Blake eblake redhat com+1-919-301-3266 Libvirt virtualization library http://libvirt.org signature.asc Description: OpenPGP digital signature
Security Vulnerability Reporting
Good Morning/Afternoon/Evening, Is there a set process in place for reporting security vulnerabilities against bash? If so, what might that process be? Thank you much! Regards, Travis Garrell