There has been a LOT of news about bash's Shell Shock bug lately.
Document some of the ramifications it has on portable scripting.
* doc/autoconf.texi (Limitations of Builtins) <export>: Add some
details about Shell Shock CVE-2014-6271.
Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
---
I'm still debating about adding a sniffer to configure scripts that
warns users if they still have a vulnerable bash on their system,
but that's a bigger project, and makes the most sense only if I can
releast autoconf 2.70 in the near future. But I'd like to apply
this patch no matter what.
doc/autoconf.texi | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/doc/autoconf.texi b/doc/autoconf.texi
index e2137ae..b3fabfd 100644
--- a/doc/autoconf.texi
+++ b/doc/autoconf.texi
@@ -17668,6 +17668,15 @@ Limitations of Builtins
bar
@end example
+Posix requires @command{export} to work with any arbitrary value for the
+contents of the variable being exported, but some versions of Bash
+(including all builds prior to September 2014) are vulnerable to the
+``Shell Shock'' remote execution bug (CVE-2014-6271 and friends), where
+exporting a variable with the initial substring of @code{() @{} could
+trigger a number of undesirable behaviors at the startup of a child
+bash. Bash has an extension that allows the export of function
+definitions, but this is not portable to other shells.
+
@item @command{false}
@c ------------------
@prindex @command{false}
--
1.9.3
_______________________________________________
Autoconf mailing list
Autoconf@xxxxxxx
https://lists.gnu.org/mailman/listinfo/autoconf
