Hi,
Raphael Geissert:
> On Friday 26 September 2014 18:48:37 Matthias Urlichs wrote:
> [...]
> > In any case, adding "-p" to any #!/bin/bash shebang line looks like a very
> > good idea. Shall we add a Lintian check for this?
>
> No.
>
… and why not?
Importing random functions from the environ
On Friday 26 September 2014 18:48:37 Matthias Urlichs wrote:
[...]
> In any case, adding "-p" to any #!/bin/bash shebang line looks like a very
> good idea. Shall we add a Lintian check for this?
No.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--
To UNSUBSCR
Hi,
shawn wilson:
> > Maybe we should add the patched version, with an appropriate NEWS entry,
> > to backports?
> >
>
> Maybe?
"Maybe we" as a shorthand for "IMHO, the maintainer of bash should".
Better? :-)
Also, '-p' (privileged mode, i.e. ignore functions in the environment, as
well as a b
On Sep 25, 2014 3:18 PM, "Matthias Urlichs" wrote:
>
> Hi,
>
> Samuel Thibault:
> > Sounds crazy to me.
> >
> Definitely. This is now out in the wild; exploits which simply replace
> echo or cat-without-/bin are going to happen. :-/
>
Actually, what I've seen reported in the wild have been wget a
On 2014-09-26 09:19:17 +0200, Samuel Thibault wrote:
> Nikolaus Rath, le Thu 25 Sep 2014 17:26:40 -0700, a écrit :
> > Wasn't there some web server that used to put query script variables
> > into the environment of the CGI script?
>
> Well, that ought to have been fixed a long time ago already,
>
Nikolaus Rath, le Thu 25 Sep 2014 17:26:40 -0700, a écrit :
> Samuel Thibault writes:
> > Matthias Urlichs, le Thu 25 Sep 2014 21:17:58 +0200, a écrit :
> >> Samuel Thibault:
> >> > Sounds crazy to me.
> >> >
> >> Definitely. This is now out in the wild; exploits which simply replace
> >> echo or
Hi,
Martin Uecker:
> While everybody is looking at bash, isn't this the real the
> injection part? Why are there still programs which copy stuff
> from the network into environment without proper sanitation?
Probably either sheer laziness, or for the usual, misguided-these-days
(IMHO) "be lenien
On Thu, Sep 25, 2014 at 04:29:05PM +0100, Ian Jackson wrote:
> Package: bash
> Version: 4.1-3
>
> I have prepared bash packages which do not honour any shell functions
> they find in the environment. IMO that is a crazy feature, which
> ought to be disabled. (I'm running this on chiark now and n
Samuel Thibault:
> Matthias Urlichs, le Thu 25 Sep 2014 21:17:58 +0200, a écrit :
> > Samuel Thibault:
> > > Sounds crazy to me.
> > >
> > Definitely. This is now out in the wild; exploits which simply replace
> > echo or cat-without-/bin are going to happen. :-/
>
> That's not so easy to exploi
Matthias Urlichs, le Thu 25 Sep 2014 21:17:58 +0200, a écrit :
> Samuel Thibault:
> > Sounds crazy to me.
> >
> Definitely. This is now out in the wild; exploits which simply replace
> echo or cat-without-/bin are going to happen. :-/
That's not so easy to exploit. You have to manage to inject th
Le jeudi 25 septembre 2014 à 16:29 +0100, Ian Jackson a écrit :
> I have prepared bash packages which do not honour any shell functions
> they find in the environment. IMO that is a crazy feature, which
> ought to be disabled. (I'm running this on chiark now and nothing has
> visibly broken yet.)
Hi,
Samuel Thibault:
> Sounds crazy to me.
>
Definitely. This is now out in the wild; exploits which simply replace
echo or cat-without-/bin are going to happen. :-/
Maybe we should add the patched version, with an appropriate NEWS entry,
to backports?
--
-- Matthias Urlichs
signature.asc
De
Could you push that upstream as well? It's for sure not the only crazy
thing bash is doing... but one that should be really abolished without
mercy.
Cheers,
Chris.
smime.p7s
Description: S/MIME cryptographic signature
Ian Jackson, le Thu 25 Sep 2014 16:29:05 +0100, a écrit :
> I have prepared bash packages which do not honour any shell functions
> they find in the environment. IMO that is a crazy feature, which
> ought to be disabled. (I'm running this on chiark now and nothing has
> visibly broken yet.)
Yes.
Package: bash
Version: 4.1-3
I have prepared bash packages which do not honour any shell functions
they find in the environment. IMO that is a crazy feature, which
ought to be disabled. (I'm running this on chiark now and nothing has
visibly broken yet.)
Packages (i386) for squeeze, wheezy and
15 matches
Mail list logo
