On 25 September 2014 20:11, jd1008 <jd1008@xxxxxxxxx> wrote: > > On 09/25/2014 01:50 AM, Ian Malone wrote: >> >> On 25 September 2014 01:36, jd1008 <jd1008@xxxxxxxxx> wrote: >>> >>> On 09/24/2014 06:27 PM, Chris Adams wrote: >>>> >>>> Once upon a time, jd1008 <jd1008@xxxxxxxxx> said: >>>>> >>>>> So, is this one of the ways javascripts exec bash to install malware >>>>> or do other nasty stuff? >>>> >>>> This has nothing to do with Javascript. It is probably more serious to >>>> servers, such as web servers, than to desktops. >>> Well and good. >>> Are you saying that a java script, being executed on your system >>> via the browser, cannot also fork and exec bash? >> >> That in itself is not the vulnerability, the vulnerability is that >> starting bash with environment variables that are potentially set by >> an untrusted user can execute code, the lwn write up is quite good >> http://lwn.net/Articles/613032/ >> > Thanx Ian. > I wonder if the BSD sh has the same vulnerability. > Mac OS-X does! It's sort of a BSD. I don't have a real BSD to look at, it seems some of them use true sh http://bsdwiki.reedmedia.net/wiki/Create_a_simple_Bourne_shell_script.html, this being a bash problem it's unlikely, but anyone using one might want to check for peace of mind. -- imalone http://ibmalone.blogspot.co.uk -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
