Bill Ricker bill.n1...@gmail.com writes:
Code fuzzed on the ENV value *after* the function definition should
not have been accepted at all. Executing it at function def time is a
bug.
What troubles me most about this is how the bit of code that reads in
environment variables sends the function
On 9/30/2014 10:59 PM, Bill Ricker wrote:
Code injection in a critical gut component like /bin/sh ...
implemented with a link. Oops !
And Lennart wonders why some of us hate his code.
Note that Multiple additional BASH security bugs have been found
and/or fixed since they started looking
On Wed, Oct 1, 2014 at 11:07 AM, Richard Pieri richard.pi...@gmail.com wrote:
Note that Multiple additional BASH security bugs have been found
and/or fixed since they started looking harder in the last week.
Which is not a bad thing as long as the people looking actually
understand what they
On 10/1/2014 12:34 PM, Bill Ricker wrote:
Yes indeed. Unskeptical eyes are useless for security review no matter
how multiplied.
As an aside, this is why I trust self-encrypting disk firmware. Rather,
it's better to say that I don't trust it any more or less than I trust
software like TrueCrypt
Seems to me that changing the /bin/sh symlink to point to dash instead of
bash should ameliorate the problem, at least where scripts that invoke
/bin/sh don't depend on bash features.
Of course, finding all such sloppily-written scripts on an existing server
could be a big chore.
Once found, they
On Wed, Oct 1, 2014 at 5:34 PM, John Hall johnhall...@gmail.com wrote:
It also that shellshock would not apply to scripts in one language that
use a subprocess for some functionality like a script in python or ruby
that uses results from a perl or even a bash script, as long as any data
that
On Wed, Oct 01, 2014 at 05:33:58PM -0400, Bill Ricker wrote:
On Wed, Oct 1, 2014 at 4:59 PM, Tom Metro tmetro+...@gmail.com wrote:
But in the case of CGI you are just moving the network/local
barrier a bit further down the stack.
and moved it right through system() = /bin/sh = /bin/bash by
I assume most readers of this list are already well familiar with the
Bash bug known as Shellshock by now. The general tech press has raised
alarms about it, but they've generally done a rather poor job of
explaining the actual ways in which the bug could be exploited remotely.
Here are a few
Also...
Repository of Shellshock Proof of Concept Code
https://github.com/mubix/shellshocker-pocs
-Tom
--
Tom Metro
The Perl Shop, Newton, MA, USA
Predictable On-demand Perl Consulting.
http://www.theperlshop.com/
___
Discuss mailing list
I take exception to the Lisp.org quote.
Yes, it's a fair point that Gnu project is older than either Apache or
Linux, but that doesn't exempt Bash from criticism. (And if this bug
is only 20 years old as claimed, being when ENV function overrides
were invented, it's maybe a year older than
10 matches
Mail list logo