On 09/29/2014 05:19 AM, Ralf Corsepius wrote: > On 09/25/2014 05:53 PM, Eric Blake wrote: > >> Huh? There is no wasted effort in teaching configure scripts to warn >> users that they are running on an unpatched vulnerable system. Just >> because a fix may be available doesn't mean everyone is running the fix. > > I do not see any sense in this at all, unless the bash bug itself would > impact configure scripts themselves. But it MIGHT impact configure scripts. One of the goals of configure is to 'export' variables into the build environment prior to calling config.status recipes. The whole point of the Shell Shock bug is that there are some values that you cannot safely export, because doing so risks your child misbehaving. As we cannot predict which child processes will be run during config.status, configure scripts may indeed be vulnerable. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Autoconf mailing list Autoconf@xxxxxxx https://lists.gnu.org/mailman/listinfo/autoconf
