On 2/26/16 11:13 AM, Dan Douglas wrote:
> On Fri, Feb 26, 2016 at 10:02 AM, Eric Blake <[email protected]> wrote:
>> Very few bugs in bash are security vulnerabilities (shellshock being the
>> obvious exception). Yes, bash has bugs, but in most cases, what people
>> think are security bugs in bash are actually poorly-written shell
>> functions that crash for the user, but which can't exploit bash to
>> escalate the user's privileges.
>
> All true. To be a genuine issue it usually has to be something that
> causes a security problem in programs that utilize bash independent of
> the script being run, or which exploits some common aspect of any script
> that couldn't have been foreseen. The script is usually to blame.
The only real security vulnerability was the original exported-functions
shellshock bug. The rest of the bugs that were subsequently discovered
were not vulnerabilities per se: you could crash the shell but not obtain
elevated privileges.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU [email protected] http://cnswww.cns.cwru.edu/~chet/
