https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 :)
- Sylvain On 13/07/2020 10:39, Ola Lundqvist wrote: > Hi > > One more note. The command will be executed as the authenticated user. > So there is no privilege escalation. > But this may be used in combination with some privilege escalation though. > > // Ola > > On Mon, 13 Jul 2020 at 10:37, Ola Lundqvist <o...@inguza.com> wrote: >> >> Hi >> >> An attack is possible in the following cases: >> 1) The attacker can login >> 2) The attacker is not supposed to execute any command, just run the >> command that use ksh as interpreter. >> 3) The attacker can trick ksh to import environment variables from the >> attacker (for example in a login shell like provided through ssh) >> >> I'd say that this is a rather rare case, but sure fixing it is better >> than not to. >> >> Github is up now but essentially the patch do what the description of >> the vulnerability tells. It only allow integers. >> >> Best regards >> >> // Ola >> >> On Mon, 13 Jul 2020 at 09:55, Sylvain Beucler <b...@beuc.net> wrote: >>> >>> Hi, >>> >>> On 13/07/2020 00:01, Brian May wrote: >>>> Is dla-needed.txt for Jessie or Stretch now? >>> >>> Stretch. >>> >>>> ksh was removed from dla-needed.txt for Stretch and classified "minor": >>>> >>>> https://salsa.debian.org/security-tracker-team/security-tracker/commit/87322fcf >>>> >>>> Then it was added again: >>>> >>>> https://salsa.debian.org/security-tracker-team/security-tracker/commit/59a9cd9dca3afc830fea869d12baf2f3d7c21126 >>>> >>>> Should we mark it as ignored in Stretch also? Or maybe the reason (as >>>> given in the commit message when ksh was first removed) was wrong? >>>> >>>> https://salsa.debian.org/security-tracker-team/security-tracker/commit/b72cc677e719d37f5f3378d616d9cb53315db927 >>> >>> github is currently down, so I can't review the patch, but it sounds >>> like we don't know for sure the full impact of the vulnerability and >>> would be better off fixing it. >>> >>> Cheers! >>> Sylvain
