Dash as default shell

Miloslav Trmač mitr at redhat.com
Thu Oct 2 15:59:54 UTC 2014

> The expected security improvement is essentially nonexistent. In the current
> case of importing functions from the environment (and we could have a looong
> philosophical conversation about whether this is a vulnerability in bash or
> in its callers, where the likely outcome is “not a vulnerability in bash but
> by far easiest to fix in bash”)

> Why would this be a philosophical discussion when there were clearly bugs in
> the parser allowing things it shouldn't even if you consider the use cases
> valid otherwise?

As I said in the snipped part, anyone able to submit arbitrary input to a shell can already cause it to do arbitrary things. The parser bugs do not give the attacker anything they don’t already have, so they are not security-relevant. So we are back to the philosophical discussion about where is the vulnerability in putting untrusted data into the environment. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141002/c46de1dc/attachment.html>

More information about the devel mailing list