On October 14, 2014 1:01:02 AM PDT, Simon Munton <simon.mun...@cdns.net> wrote: >(Sorry, this is not strictly DNS, but I would guess that this is the >cause of this shell-shock vector). > >When looking at the code for libc I was most disappointed to see that >"/bin/sh" is hard coded for both "popen()" and "system()"
That is what POSIX requires. > >Where as I had previously assumed that the environment variable SHELL >could override this. That would make most programs using system() or popen() fail for those of us using tcsh. > >As "/bin/sh" is almost always a symlink to "/bin/bash", and many O/S >scripts assume this to be the case (i.e. use bash specific features, >without declaring "#!/bin/bash"), so simply making "/bin/sh" a link to >(say) "/bin/ash" is probably not an option. Apple and redhat err'd in using bash to implement the /bin/sh interface. They should switch to ash like BSD or to the dash derivative of ash like Debian. > > >So heads-up to any systems that use "popen()" or "system()" That's all systems. Though only apple and redhat strictly needed patching. > >IMHO, these two vectors mean shellshock will provide all sorts of >unexpected opportunities, I'm waiting to hear a live system that's vulnerable to the DNS method before I'll agree to call it a "vector". Right now it's a rigged demo. > until everybody is upgraded. That's never. Vixie -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
