On 02/26/2016 07:54 AM, Travis Garrell wrote: > Good Morning/Afternoon/Evening, > > Is there a set process in place for reporting security vulnerabilities > against bash? If so, what might that process be?
Very few bugs in bash are security vulnerabilities (shellshock being the obvious exception). Yes, bash has bugs, but in most cases, what people think are security bugs in bash are actually poorly-written shell functions that crash for the user, but which can't exploit bash to escalate the user's privileges. So unless you are dead certain you have another shellshock equivalent on your hands (where bash could be coerced into running arbitrary code that was NOT part of the shell script, in such a way that anyone using bash as /bin/sh via system() calls made those programs become an escalation point), then posting your example to this list is probably okay, at which point we can confirm that it is not a security bug. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
