On 9/26/2014 11:51 AM, Bryan Drewery wrote: > On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >> On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery <bdrew...@freebsd.org> wrote: >>> On 9/26/2014 2:36 AM, Steve Clement wrote: >>>> Dear all, >>>> >>>> In case you urgently need to go the manual route, here is one way to >>>> really patch your systems: >>>> >>>> https://www.circl.lu/pub/tr-27/ >>>> >>>> Until the patch is in the bash upstream… (which it might be by now) >>>> >>>> Take care, >>>> >>> >>> The port has had the fixes since yesterday. The packages are building. >>> >>> -- >>> Regards, >>> Bryan Drewery >>> >> >> Apparently, the full fix is still not delivered, accordingly to this: >> http://seclists.org/oss-sec/2014/q3/741 >> >> Kind regards, >> Bartek Rutkowski >> > > I'm pretty sure they call that a "feature". This is a bit different. > This is modifying the command used to call a function as the feature > intends. The vulnerability was that just parsing the environment would > execute the code. > > TL;DR; You should cleanse your environment and only accept valid input > to work around this feature. The bash developer (Chet) said he would not > remove it by default, at least a few days ago. >
There is more discussion here http://seclists.org/oss-sec/2014/q3/746 Anyway I still think this is not anything to panic about. However I am making the decision to disable this feature entirely in our bash port by default. I will use christos@NetBSD's patch to add a --import-functions flag to bash. The port will allow selecting the default at build time. Ours will have it disabled. I have no idea what the impact is on this but it is the safest route for now; scripts passing functions in environment is crazy. -- Regards, Bryan Drewery
signature.asc
Description: OpenPGP digital signature
