Samuel Thibault: > Matthias Urlichs, le Thu 25 Sep 2014 21:17:58 +0200, a écrit : > > Samuel Thibault: > > > Sounds crazy to me. > > > > > Definitely. This is now out in the wild; exploits which simply replace > > echo or cat-without-/bin are going to happen. :-/ > > That's not so easy to exploit. You have to manage to inject those precise > variable names.
While everybody is looking at bash, isn't this the real the injection part? Why are there still programs which copy stuff from the network into environment without proper sanitation? This bash bug makes this easy to exploit, but it is not hard to imagine that this can confuse other programs in different ways. In fact, there were very similar bugs in the past: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0997 Martin -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140925182221.4ff545d1@lemur
