On Thu, 25 Sep 2014, Eric Blake wrote:
On 09/25/2014 07:51 AM, Bob Friesenhahn wrote:
It may be that some users of 'autoconf' will be at risk due to the dire
bash security bug described at
"http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/";.
Take care that the environment is carefully vetted.
There's nothing that ./configure can do to avoid the buggy bash, but it
may indeed be worth patching autoconf to generate configure scripts that
issue a loud warning if the buggy shell is detected on the user's
system. I'll look into doing that.
As far as I can tell, the main issue would be for free software sites
which provide services via CGI scripts which expose CGI environment
variables to scripts running bash. It does not matter if the initial
CGI script is based on Python, Perl, or something else if a script
running bash eventually gets invoked with the problematic environment
variables. At least that is my understanding.
There are also issues when using ssh because ssh can invoke remote
scripts on behalf of the user while passing local environment
variables.
Bob
--
Bob Friesenhahn
bfriesen@xxxxxxxxxxxxxxxxxxx, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
_______________________________________________
Autoconf mailing list
Autoconf@xxxxxxx
https://lists.gnu.org/mailman/listinfo/autoconf
