On 2014-09-27, Javier Bassi <[email protected]> wrote: > On 09/25/2014 10:25 PM, ian kremlin wrote: >> /bin/sh is an implementation of *the bourne shell*, not the >> bourne-again shell (bash). in any case, neither /bin/sh nor ksh are >> vulnerable to the recent "shellshock" vulnerability. > > Also, if OpenBSD had bash it still wouldn't be such a big issue as it is > in Linux. The most common attack vector is Apache with PHP with scripts > calling to system(), shell_exec(), etc. Since hosts with OBSD have httpd > chrooted, even if they installed PHP, /bin/sh wouldn't be inside the > jail. And even if they added /bin/sh and someone was able to exploit it, > they will be trapped inside the jail.
Some other vectors: dhclient script - the dhclient in base doesn't have scripts any more, so no issue there. Other dhclient implementations still do, unlikely to use bash *by default*, though who knows what people may change on their systems. MTAs passing variables to scripts they're calling via the environment. If those scripts use bash, they're at risk. Log parsers written using bash and handling untrusted data. Also note that some systems using PHP will have /bin/sh in the chroot, as it is required for the mail() function. (pure PHP mail classes that talk SMTP directly are a better idea where possible). Unlikely to be bash on OpenBSD. But if you have machines (most likely on another OS) where you do have copies of bash in a chroot jail, be sure to update those copies too! > Of course this is all hypothetical because OBSD doesn't have bash to > begin with. It does have it, in packages, and it is not magically invulnerable because it runs on OpenBSD, it has the same problem as on other OS. Various things in packages explicitly use bash rather than /bin/sh so there are some cases where you may run into problems. There are updates in -stable ports (but N.B. official packages are only built for releases and -current, not -stable).
