bash velnerability
Bryan Drewery
bdrewery at FreeBSD.org
Fri Sep 26 17:41:42 UTC 2014
On 9/26/2014 11:51 AM, Bryan Drewery wrote:
> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
>> On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery <bdrewery at freebsd.org> wrote:
>>> On 9/26/2014 2:36 AM, Steve Clement wrote:
>>>> Dear all,
>>>>
>>>> In case you urgently need to go the manual route, here is one way to really patch your systems:
>>>>
>>>> https://www.circl.lu/pub/tr-27/
>>>>
>>>> Until the patch is in the bash upstream… (which it might be by now)
>>>>
>>>> Take care,
>>>>
>>>
>>> The port has had the fixes since yesterday. The packages are building.
>>>
>>> --
>>> Regards,
>>> Bryan Drewery
>>>
>>
>> Apparently, the full fix is still not delivered, accordingly to this:
>> http://seclists.org/oss-sec/2014/q3/741
>>
>> Kind regards,
>> Bartek Rutkowski
>>
>
> I'm pretty sure they call that a "feature". This is a bit different.
> This is modifying the command used to call a function as the feature
> intends. The vulnerability was that just parsing the environment would
> execute the code.
>
> TL;DR; You should cleanse your environment and only accept valid input
> to work around this feature. The bash developer (Chet) said he would not
> remove it by default, at least a few days ago.
>
There is more discussion here http://seclists.org/oss-sec/2014/q3/746
Anyway I still think this is not anything to panic about. However I am
making the decision to disable this feature entirely in our bash port by
default. I will use christos at NetBSD's patch to add a --import-functions
flag to bash. The port will allow selecting the default at build time.
Ours will have it disabled. I have no idea what the impact is on this
but it is the safest route for now; scripts passing functions in
environment is crazy.
--
Regards,
Bryan Drewery
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20140926/cbff1faa/attachment.sig>
More information about the freebsd-ports
mailing list