John Darrington <j...@darrington.wattle.id.au> skribis: > On Tue, Sep 20, 2016 at 04:55:30PM -0400, Leo Famulari wrote: > Any advice on how we should handle CVE-2016-0634? > > http://seclists.org/oss-sec/2016/q3/534 > > Like the comment there says, it is only a problem if the machine has > already been owned,
… or if a privilege application like a DHCP client can be made to set the host name to $(something bad), which was apparently possible at some point. > so I don't see what the issue is. If there is an issue it is for the > bash maintainers to patch. Chet proposed a patch: http://seclists.org/oss-sec/2016/q3/att-538/prompt-string-comsub.patch IIUC, the just-released 4.4 isn’t affected, right? We should at least update it in core-updates, but core-updates won’t be merged until we have fixed that Binutils/MIPS issue (which shouldn’t be too hard, but we never know!). I’m somewhat unavailable these days; could someone look into it? Thanks for the heads-up Leo, as usual! Ludo’.
