On 09/25/2014 08:55 AM, Eric Blake wrote: > On 09/25/2014 07:51 AM, Bob Friesenhahn wrote: >> It may be that some users of 'autoconf' will be at risk due to the dire >> bash security bug described at >> "http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/";. >> >> Take care that the environment is carefully vetted. > > There's nothing that ./configure can do to avoid the buggy bash, I should explain that: the bash bug affects bash startup, _before_ it starts running any commands in your script. So if you have a buggy shell, and use it to invoke your script, then by the time your script is running, the bug has already happened. I also think autoconf has a mitigating factor - the _reason_ the bash bug is such a huge security bug is that there are services that can be easily fooled into defining user-defined environment variables and handing it off to the shell. The escalation comes into play when you get a service running as a different user or on a different machine to do that on your behalf. But autoconf generates configure scripts which are designed to run on a local machine under the local user's credentials; while the bug is still ugly, configure's use of the shell is not crossing user/machine boundaries, and thus is probably not something that can be exploited for privilege escalation in a configure script alone. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Autoconf mailing list Autoconf@xxxxxxx https://lists.gnu.org/mailman/listinfo/autoconf
