On 02/15/2017 07:01 AM, Pierre Gaston wrote: > If you can run arbitrary code in a shell (or even if your script doesn't > validate its input), your security is already compromised.
Or put another way, bash CVEs are rare, and exist primarily when the shell can be made to run arbitrary code without you being able to prevent it. Shellshock was a case where bash could execute code before your script began (hence a CVE), but infinite recursion is a case where avoiding your script avoids the crash (therefore the bug is your script, not bash, and not worth a CVE). -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
