On 2014-09-26 09:15, lolilolicon wrote:
On Fri, Sep 26, 2014 at 9:50 PM, Doug Newgard <scimmia@xxxxxxxxxxxxxx>
wrote:
The problem is on many systems /bin/sh is linked to bash -- which is
why
this bug is so widespread / severe. /bin/sh is "the single biggest
UNIX loophole", so let's make it a bit smaller by switching it to
something minimal, such as dash.
Why? Why is that the problem? What attack vector is available because
of
this? Give me specifics, not theoretical, non-existent examples.
Because the vulnerable systems do not call bash by name, they call
/bin/sh. And they are vulnerable only because /bin/sh is linked to
bash.
Wrong, they DO call bash by name. The main issues are with ssh, which
uses the user's specified interactive shell, and with Apache's mod_cgi
and mod_cgid, which do call bash. Again, stop providing non-existent FUD
and give real-world examples of where having /bin/sh linked to something
else would have mitigated this.
Specifically, only on systems where /bin/sh is bash, any ENV whose
value
starts with '() {' gets turned into a function by the shell.
(It's being patched up, but this whole affair is telling...)
This is pretty real, unless what you want is some vivid horror story.
