-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/26/2014 07:43 PM, Lorenzo Bandieri wrote:
> Hi list,
>
> I have a favor to ask to those that are currently testing Gnome
> 3.14.
>
> In gnome 3.12 I am having problems with user switching, which is
> quite important for me. In particular, I had
On 2014-09-26 15:57, Doug Newgard wrote:
On 2014-09-26 15:00, Benjamin A. Shelton wrote:
On 09/26/2014 10:59 AM, Doug Newgard wrote:
What technical reasons are there against switching out /bin/sh?
Thusfar, I haven't encountered anything particularly noisome (the
ST2's subl launch script being o
Hi,
On Fri, Sep 26, 2014 at 03:57:54PM -0500, Doug Newgard wrote:
> Yes, it's this paranoia that I've been trying to cut through in this thread
> to get people to start discussing things rationally.
Just an FYI for people running their own DHCP servers:
http://lists.thekelleys.org.uk/pipermail/dn
On 2014-09-26 15:00, Benjamin A. Shelton wrote:
On 09/26/2014 10:59 AM, Doug Newgard wrote:
OK, we're finally getting some examples of where the sh symlink could
be used to trigger this exploit. Thank you.
There are samples that have been available for the past 2-3 days, and
there's a fairly
On Sat, Sep 27, 2014, at 01:30 AM, Benjamin A. Shelton wrote:
> On 09/26/2014 10:59 AM, Doug Newgard wrote:
> >
> > OK, we're finally getting some examples of where the sh symlink could
> be used to trigger this exploit. Thank you.
>
> There are samples that have been available for the past 2-3
On 09/26/2014 10:59 AM, Doug Newgard wrote:
>
> OK, we're finally getting some examples of where the sh symlink could
be used to trigger this exploit. Thank you.
There are samples that have been available for the past 2-3 days, and
there's a fairly steady stream of new information on various s
I've requested it as a feature. Hope it gets traction.
https://bugs.archlinux.org/task/42134
--
Cheers!
Savya
The flaw is not patched correctly. Tavis Ormandy has shown it to be still
exploitable.
Chester
On 26 September 2014 11:23:59 GMT-07:00, Guus Snijders
wrote:
>Op 26 sep. 2014 16:34 schreef "Doug Newgard" :
>[...]
>>
>> Instead of theorizing that "many" will do this, give a real world
>example
Op 26 sep. 2014 16:34 schreef "Doug Newgard" :
[...]
>
> Instead of theorizing that "many" will do this, give a real world example
of where this happens and would have reduced the attack surface of the bug
in question.
One of the very few examples that sound reasonable, is dhclient.
Apparently,
Hi list,
I have a favor to ask to those that are currently testing Gnome 3.14.
In gnome 3.12 I am having problems with user switching, which is quite
important for me. In particular, I had this annoying bug [1] since I
installed Gnome in this computer. When Xorg 1.16 came out, it broke
completely
On Fri, Sep 26, 2014, at 10:29 PM, Doug Newgard wrote:
> Now my question for everyone else is, what will people do *WHEN* a bug
> is found in dash? Bash is the most tested shell code base we have, and I
> don't buy into the fallacy that a smaller code base is inherently more
> secure. Or are you
On 2014-09-26 11:46, Benjamin A. Shelton wrote:
On 09/26/2014 10:16 AM, Leonid Isaev wrote:
The bugs which started this discussion are not a big deal anyway. They
will only affect scripts that don't properly sanitize the input. Such
scripts have bigger problems to worry about IMHO. The SSH-relat
On 26/09/14 11:16, Leonid Isaev wrote:
> $ head -n1 /usr/bin/mkinitcpio
> #!/bin/bash
> ---
>
> So, yes ArchLinux core tools use and will continue to use 'bashisms' because
> they are convenient.
Right, and I'm more or less fine with that _because_ of the above shebang line,
and I'm also fine wi
On 09/26/2014 10:16 AM, Leonid Isaev wrote:
> The bugs which started this discussion are not a big deal anyway. They
> will only affect scripts that don't properly sanitize the input. Such
> scripts have bigger problems to worry about IMHO. The SSH-related
> issue is also insignificant because the
On Fri, 2014-09-26 at 13:27 -0300, Hugo Osvaldo Barrera wrote:
> I strongly agree with this. Programs that ask for sh should get sh, and
> programs that ask for bash should get bash.
>
> Programs that ask for bash and use bashisms are already broken for the Ubuntu
> family (ie: Ubuntu and derivate
On 2014-09-26 11:27, Hugo Osvaldo Barrera wrote:
On 2014-09-26 07:30, Drake Wilson wrote:
On 26/09/14 07:06, Mailing Lists (???) wrote:
> Even if we agree to shift /bin/sh to dash, I'm not sure that it'll make
> that much of a difference. From what I've read, most of the problems
> come from CGI
On 2014-09-26 07:30, Drake Wilson wrote:
> On 26/09/14 07:06, Mailing Lists (???) wrote:
> > Even if we agree to shift /bin/sh to dash, I'm not sure that it'll make
> > that much of a difference. From what I've read, most of the problems
> > come from CGI scripts which invoke bash, and ssh post-aut
On 26 September 2014 18:16, Leonid Isaev wrote:
> ---
>
> So, yes ArchLinux core tools use and will continue to use 'bashisms'
> because
> they are convenient. The bugs which started this discussion are not a big
> deal
> anyway. They will only affect scripts that don't properly sanitize the
> in
On 2014-09-26 18:08, Florian Pritz wrote:
> This mail should now come with the correct List-Id header and should
> work with old filters. Sorry for the noise earlier.
>
The X-BeenThere header seems to have changed, but I'm now relying on List-Id
anyway (which is actually standard).
Other that re
Hi,
On Fri, Sep 26, 2014 at 07:30:29AM -0500, Drake Wilson wrote:
> [...]
> On my own desktop system, when I realized sh was bash recently I immediately
> relinked it to dash and intend to keep it that way as long as I reasonably
> can (I assume some things may break, in the current state; I'm wil
This mail should now come with the correct List-Id header and should
work with old filters. Sorry for the noise earlier.
signature.asc
Description: OpenPGP digital signature
On Fri, Sep 26, 2014, at 08:10 PM, Maarten de Vries wrote:
> So you do not find "any program that calls system()" specific and scary
> enough? I do.
I guess specific examples really would help making a good case, you
know? Being a non-programmer/sysad here, I'd be able to better support
you if you
On 2014-09-26 09:29, Maarten de Vries wrote:
On 26 September 2014 16:25, Doug Newgard
wrote:
On 2014-09-26 09:15, lolilolicon wrote:
On Fri, Sep 26, 2014 at 9:50 PM, Doug Newgard
wrote:
The problem is on many systems /bin/sh is linked to bash -- which is
why
this bug is so widespread /
On 26 September 2014 16:25, Doug Newgard wrote:
> On 2014-09-26 09:15, lolilolicon wrote:
>
>> On Fri, Sep 26, 2014 at 9:50 PM, Doug Newgard
>> wrote:
>>
>>> The problem is on many systems /bin/sh is linked to bash -- which is why
this bug is so widespread / severe. /bin/sh is "the single b
On 2014-09-26 09:15, lolilolicon wrote:
On Fri, Sep 26, 2014 at 9:50 PM, Doug Newgard
wrote:
The problem is on many systems /bin/sh is linked to bash -- which is
why
this bug is so widespread / severe. /bin/sh is "the single biggest
UNIX loophole", so let's make it a bit smaller by switching i
On Fri, Sep 26, 2014 at 9:50 PM, Doug Newgard wrote:
>> The problem is on many systems /bin/sh is linked to bash -- which is why
>> this bug is so widespread / severe. /bin/sh is "the single biggest
>> UNIX loophole", so let's make it a bit smaller by switching it to
>> something minimal, such as
It is only my experience as normal user. It was not that easy to compile
Wine 64 on a Debian multiarch system because of the package dependencies
between 32 and 64 bit. The only solution to compile the 32 bit part for
Wine on a Debian multiarch system was to create a 32 bit schroot jail.
For me as
On 2014-09-26 07:29, lolilolicon wrote:
On Fri, Sep 26, 2014 at 8:13 PM, Martti Kühne
wrote:
On Fri, Sep 26, 2014 at 2:06 PM, Mailing Lists
wrote:
Even if we agree to shift /bin/sh to dash, I'm not sure that it'll
make
that much of a difference. From what I've read, most of the problems
co
On Fri, Sep 26, 2014, at 05:43 PM, Martti Kühne wrote:
> Removing bashisms would not have any inpact in security but rather
> enable us switching /bin/sh away from /usr/bin/bash. Which we in
> general appear to agree on?
>
> cheers!
> mar77i
We do, but let's hope a dev weighs in on this. Or rathe
Hi,
I just upgraded to Gnome 3.14 and wanted to test new things, especially
the new Pacman backend to PackageKit (through gnome-software). I just
clicked on the "update and restart" notification and I couldn't boot
anymore.
I remove the "quiet" kernel boot flag in Grub and saw that the offending
On Fri, Sep 26, 2014 at 8:40 PM, Drake Wilson wrote:
> Aside: I'm not sure about the interpretation of checkbashisms re autotools
> scripts (in particular libtool) because they do an awful lot of weird code
> generation and shuffling to deal with multiple bogus shell implementations.
Yes, you'd e
On 26/09/14 07:30, Drake Wilson wrote:
> There is a _lot_ of "magic behavior" in bash. Debian bug #762839 mentions
> how bash still imports shell functions from environment variables with magic
> names, even when called as sh. The --posix option seems something of a joke.
Sorry, I mistyped; I me
On Fri, Sep 26, 2014 at 8:19 PM, Mailing Lists
wrote:
> On Fri, Sep 26, 2014, at 05:43 PM, Martti Kühne wrote:
>> Removing bashisms would not have any inpact in security but rather
>> enable us switching /bin/sh away from /usr/bin/bash. Which we in
>> general appear to agree on?
>>
>> cheers!
>> m
On 26/09/14 07:06, Mailing Lists (???) wrote:
> Even if we agree to shift /bin/sh to dash, I'm not sure that it'll make
> that much of a difference. From what I've read, most of the problems
> come from CGI scripts which invoke bash, and ssh post-authentication.
Anything that uses system(), popen(
On Fri, Sep 26, 2014 at 8:13 PM, Martti Kühne wrote:
> On Fri, Sep 26, 2014 at 2:06 PM, Mailing Lists
> wrote:
>>
>> Even if we agree to shift /bin/sh to dash, I'm not sure that it'll make
>> that much of a difference. From what I've read, most of the problems
>> come from CGI scripts which invok
On Fri, Sep 26, 2014, at 05:43 PM, Martti Kühne wrote:
> Removing bashisms would not have any inpact in security but rather
> enable us switching /bin/sh away from /usr/bin/bash. Which we in
> general appear to agree on?
>
> cheers!
> mar77i
No problems there. All I'm saying is that switching sho
On Fri, Sep 26, 2014 at 2:06 PM, Mailing Lists
wrote:
>
> Even if we agree to shift /bin/sh to dash, I'm not sure that it'll make
> that much of a difference. From what I've read, most of the problems
> come from CGI scripts which invoke bash, and ssh post-authentication.
> I'm not saying that the
On Fri, Sep 26, 2014, at 05:05 PM, lolilolicon wrote:
> The grep would find some false positives -- e.g., some perl script might
> include #!/bin/sh in its body (such as findimagedupes).
>
> With dash you don't really need -p, which is more strict.
>
> The following will reduce the count drastica
On Fri, Sep 26, 2014 at 6:06 PM, Mailing Lists
wrote:
>
> i just ran the "checkbashisms" script from the AUR on my /usr/bin using
> the command from the wiki:
>
> # checkbashisms -f -p $(grep -rlE '^#! ?/bin/(env )?sh' /usr/bin)
>
> which revealed 470 instances of putative bashisms in scripts usin
On Fri, Sep 26, 2014, at 02:52 PM, lolilolicon wrote:
> On Fri, Sep 26, 2014 at 4:20 PM, Martti Kühne wrote:
> [...]
> > Despite that I'm still not convinced as to why
> > the issue in question is such a big deal, I must say it's unlikely
> > we're better off with a less active, less used shell.
>
On Fri, Sep 26, 2014 at 4:20 PM, Martti Kühne wrote:
[...]
> Despite that I'm still not convinced as to why
> the issue in question is such a big deal, I must say it's unlikely
> we're better off with a less active, less used shell.
Put simply, bash has too much bloat. That includes obscure dark
On Fri, Sep 26, 2014 at 10:14 AM, lolilolicon wrote:
> On Fri, Sep 26, 2014 at 3:11 PM, Martti Kühne wrote:
>> Arch cannot realistically switch away from bash as long as both its
>> package management depends on it for both package creation and package
>> management tasks.
>
> But we can switch a
On Fri, Sep 26, 2014 at 3:11 PM, Martti Kühne wrote:
> Arch cannot realistically switch away from bash as long as both its
> package management depends on it for both package creation and package
> management tasks.
But we can switch away from using bash as /bin/sh.
On Fri, Sep 26, 2014 at 1:08 AM, Ranomier wrote:
> I wrote my idea first on the irc, but i think here is a better place.
>
> The idea is to give up multiarch repo and make pacman and archlinux capable
> for real multiarch support
>
> That means u could install a 32bit package from the normal repos
On Thu, Sep 25, 2014 at 7:21 PM, Tobias Hunger wrote:
> Hi Martti,
>
> I did mention that I have been playing with the hooks and systemd in my
> initial mail. At least I thought that would be clear. Sorry if it was not.
> I will try to make that more clear next time. Was my first post here, I
> on
Arch cannot realistically switch away from bash as long as both its
package management depends on it for both package creation and package
management tasks.
cheers!
mar77i
46 matches
Mail list logo
