On 26 September 2014 18:16, Leonid Isaev <lisaev@xxxxxxxxxxxx> wrote: > --- > > So, yes ArchLinux core tools use and will continue to use 'bashisms' > because > they are convenient. The bugs which started this discussion are not a big > deal > anyway. They will only affect scripts that don't properly sanitize the > input. > Such scripts have bigger problems to worry about IMHO. The SSH-related > issue is > also insignificant because the bug will be triggered post-auth... > > I very much disagree with that statement. Any ssh key with an attached force-command could be used to execute arbitrary commands. Then there is dhclient which passes information to scripts in environment variables, meaning that dhcp servers (for example on a public network) could execute commands on vulnerable clients. I would say both are a big deal and they are just two examples. But as said by others, the recent bash vulnerability has been fixed and that was not the point of this discussion anyway.
