On Fri, Sep 26, 2014 at 9:50 PM, Doug Newgard <scimmia@xxxxxxxxxxxxxx> wrote:
>> The problem is on many systems /bin/sh is linked to bash -- which is why
>> this bug is so widespread / severe. /bin/sh is "the single biggest
>> UNIX loophole", so let's make it a bit smaller by switching it to
>> something minimal, such as dash.
>
>
> Why? Why is that the problem? What attack vector is available because of
> this? Give me specifics, not theoretical, non-existent examples.
Because the vulnerable systems do not call bash by name, they call
/bin/sh. And they are vulnerable only because /bin/sh is linked to bash.
Specifically, only on systems where /bin/sh is bash, any ENV whose value
starts with '() {' gets turned into a function by the shell.
(It's being patched up, but this whole affair is telling...)
This is pretty real, unless what you want is some vivid horror story.
