Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

On 2014-09-27, at 00:11 , Cameron Simpson wrote: > On 26Sep2014 13:16, Antoine Pitrou wrote: >> On Fri, 26 Sep 2014 01:10:53 -0700 >> Hasan Diwan wrote: >>> On 26 September 2014 00:28, Matěj Cepl wrote: >>> > Where does your faith that other /bin/sh implementations (dash, >>> > busybox, etc.)

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

On 26Sep2014 13:16, Antoine Pitrou wrote: On Fri, 26 Sep 2014 01:10:53 -0700 Hasan Diwan wrote: On 26 September 2014 00:28, Matěj Cepl wrote: > Where does your faith that other /bin/sh implementations (dash, > busybox, etc.) are less buggy comes from? The fact that they are simpler, in terms

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

Stefan Behnel wrote: > Ok, but does that really make it a relevant topic for python-dev? Sorry - I thought I was reading python-general. gmane makes it too easy to post :-). However, I think it's worth pointing that out, in case people think that Popen is a security panacea. J __

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

On Fri, 26 Sep 2014 14:56:05 +0200 Stefan Behnel wrote: > Jeremy Sanders schrieb am 26.09.2014 um 09:28: > > Antoine Pitrou wrote: > > > >> Fortunately, Python's subprocess has its `shell` argument default to > >> False. However, `os.system` invokes the shell implicitly and is > >> therefore a po

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

Jeremy Sanders schrieb am 26.09.2014 um 09:28: > Antoine Pitrou wrote: > >> Fortunately, Python's subprocess has its `shell` argument default to >> False. However, `os.system` invokes the shell implicitly and is >> therefore a possible attack vector. > > Of course anything called by subprocess wi

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

On Fri, 26 Sep 2014 01:10:53 -0700 Hasan Diwan wrote: > Matěj, > > On 26 September 2014 00:28, Matěj Cepl wrote: > > > Where does your faith that other /bin/sh implementations (dash, > > busybox, etc.) are less buggy comes from? > > > The fact that they are simpler, in terms of lines of code.

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

On 26.09.14 01:17, Antoine Pitrou wrote: Fortunately, Python's subprocess has its `shell` argument default to False. However, `os.system` invokes the shell implicitly and is therefore a possible attack vector. Fortunately dash (which is used as /bin/sh in Debian and Ubuntu) is not vulnerable.

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

Matěj, On 26 September 2014 00:28, Matěj Cepl wrote: > Where does your faith that other /bin/sh implementations (dash, > busybox, etc.) are less buggy comes from? The fact that they are simpler, in terms of lines of code. It's no guarantee, but the less a given piece of code does, the less bug

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

On 2014-09-25, 23:14 GMT, Cameron Simpson wrote: >>Fortunately, Python's subprocess has its `shell` argument default to >>False. However, `os.system` invokes the shell implicitly and is >>therefore a possible attack vector. > > Only if /bin/sh is bash :-) Not always the case, fortunately. Where do

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

Antoine Pitrou wrote: > Fortunately, Python's subprocess has its `shell` argument default to > False. However, `os.system` invokes the shell implicitly and is > therefore a possible attack vector. Of course anything called by subprocess with shell=False may invoke the shell itself if it runs oth

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

Steven D'Aprano : > Perhaps I'm missing something, but aren't there easier ways to attack > os.system than the bash env vulnerability? The main concern is the cases where you provide a service accessible through an SSH login and try to sandbox the client with limited functionality. SSH passes so

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

On 25Sep2014 21:30, Tres Seaver wrote: On 09/25/2014 08:59 PM, Cameron Simpson wrote: Your cable/adsl modem? Probably an embedded Linux box, possibly using bash, and certainly a dhcp client of the ISP. Better still, for many people that same comprimisable modem is the DHCP _server_ for their ho

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/25/2014 08:59 PM, Cameron Simpson wrote: > Your cable/adsl modem? Probably an embedded Linux box, possibly using > bash, and certainly a dhcp client of the ISP. Better still, for many > people that same comprimisable modem is the DHCP _server_ fo

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

On 26Sep2014 09:40, Steven D'Aprano wrote: On Fri, Sep 26, 2014 at 12:17:46AM +0200, Antoine Pitrou wrote: On Thu, 25 Sep 2014 13:00:16 -0700 Bob Hanson wrote: > Critical bash vulnerability CVE-2014-6271 may affect Python on > *n*x and OSX: [...] See also: http://adminlogs.info/2014/09/25/ag

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

On Fri, Sep 26, 2014 at 10:29 AM, Devin Jeanpierre wrote: > As I understand it, if the attacker can help specify the environment > (e.g. this is a CGI script), and you run os.system('echo hi'), you can > get pwned. Even safe uses of os.system are vulnerable unless you point > /bin/sh at a secure s

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

On Thu, Sep 25, 2014 at 4:53 PM, Antoine Pitrou wrote: >> In other words, os.system is *already* an attack vector, unless you only >> use it with trusted strings. I don't think the bash env vulnerability >> adds to the attack surface. >> >> Have I missed something? > > The part where the attack pa

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

On Fri, Sep 26, 2014 at 9:53 AM, Antoine Pitrou wrote: >> In other words, os.system is *already* an attack vector, unless you only >> use it with trusted strings. I don't think the bash env vulnerability >> adds to the attack surface. >> >> Have I missed something? > > The part where the attack pa

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

> The part where the attack payload is passed through the environment, not through hypothetical user-injected command-line arguments. So, best advice would be to: 1. Upgrade bash (and standby for an additional patch, according to reddit) 2. Upgrade to WSGI, if possible 3. Be careful about includi

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

On Fri, 26 Sep 2014 09:40:17 +1000 Steven D'Aprano wrote: > Perhaps I'm missing something, but aren't there easier ways to attack > os.system than the bash env vulnerability? If I'm accepting and running > arbitrary strings from an untrusted user, there's no need for them to go > to the trouble

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

On Fri, Sep 26, 2014 at 12:17:46AM +0200, Antoine Pitrou wrote: > On Thu, 25 Sep 2014 13:00:16 -0700 > Bob Hanson wrote: > > Critical bash vulnerability CVE-2014-6271 may affect Python on > > *n*x and OSX: [...] See also: http://adminlogs.info/2014/09/25/again-bash-cve-2014-7169/ > Fortunately

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

On 26Sep2014 00:17, Antoine Pitrou wrote: On Thu, 25 Sep 2014 13:00:16 -0700 Bob Hanson wrote: Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX: [...] Fortunately, Python's subprocess has its `shell` a

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

This was helpful: http://sarge.readthedocs.org/en/latest/internals.html#how-shell-quoting-works -- Wes Turner On Thu, Sep 25, 2014 at 5:17 PM, Antoine Pitrou wrote: > On Thu, 25 Sep 2014 13:00:16 -0700 > Bob Hanson wrote: >> Critical bash vulnerability CVE-2014-6271 may affect Python on >> *n*x

Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

On Thu, 25 Sep 2014 13:00:16 -0700 Bob Hanson wrote: > Critical bash vulnerability CVE-2014-6271 may affect Python on > *n*x and OSX: > > > >

[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX: