John Darrington <j...@darrington.wattle.id.au> skribis:

> On Tue, Sep 20, 2016 at 04:55:30PM -0400, Leo Famulari wrote:
>      Any advice on how we should handle CVE-2016-0634?
>      
>      http://seclists.org/oss-sec/2016/q3/534
>
> Like the comment there says, it is only a problem if the machine has
> already been owned,

… or if a privilege application like a DHCP client can be made to set
the host name to $(something bad), which was apparently possible at some
point.

> so I don't see what the issue is.  If there is an issue it is for the
> bash maintainers to patch.

Chet proposed a patch:

  http://seclists.org/oss-sec/2016/q3/att-538/prompt-string-comsub.patch

IIUC, the just-released 4.4 isn’t affected, right?

We should at least update it in core-updates, but core-updates won’t be
merged until we have fixed that Binutils/MIPS issue (which shouldn’t be
too hard, but we never know!).

I’m somewhat unavailable these days; could someone look into it?

Thanks for the heads-up Leo, as usual!

Ludo’.

Reply via email to