Eric Blake <eblake@xxxxxxxxxx> posted on Sat, 27 Sep 2014 18:26:43 -0600: > There has been a LOT of news about bash's Shell Shock bug lately. > Document some of the ramifications it has on portable scripting. Documenting this seems reasonable. > I'm still debating about adding a sniffer to configure scripts that > warns users if they still have a vulnerable bash on their system, I think it'd be reasonable to add some basic detections for easy cases. For the first 5 shellshock CVEs there's CC0-licensed code you could use here: https://github.com/hannob/bashcheck Fully detecting it can be complex; that author hasn't found a way to reliably and portably detect at least one case without address sanitizer. But detecting the first two (CVE-2014-6271 and CVE-2014-7169) are easy, just snag from: https://github.com/hannob/bashcheck/blob/master/bashcheck A number of people (including me!) want to counter attacks against development and build environments, e.g.: https://mailman.stanford.edu/pipermail/liberationtech/2013-June/009257.html http://www.dwheeler.com/trusting-trust A reminder might encourage someone to harden their system before it's subverted. --- David A. Wheeler _______________________________________________ Autoconf mailing list Autoconf@xxxxxxx https://lists.gnu.org/mailman/listinfo/autoconf
