Dash as default shell
Miloslav Trmač
mitr at redhat.com
Thu Oct 2 15:59:54 UTC 2014
> The expected security improvement is essentially nonexistent. In the current
> case of importing functions from the environment (and we could have a looong
> philosophical conversation about whether this is a vulnerability in bash or
> in its callers, where the likely outcome is “not a vulnerability in bash but
> by far easiest to fix in bash”)
> Why would this be a philosophical discussion when there were clearly bugs in
> the parser allowing things it shouldn't even if you consider the use cases
> valid otherwise?
As I said in the snipped part, anyone able to submit arbitrary input to a shell can already cause it to do arbitrary things. The parser bugs do not give the attacker anything they don’t already have, so they are not security-relevant. So we are back to the philosophical discussion about where is the vulnerability in putting untrusted data into the environment.
Mirek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141002/c46de1dc/attachment.html>
More information about the devel
mailing list