On 09/26/2014 10:16 AM, Leonid Isaev wrote: > The bugs which started this discussion are not a big deal anyway. They > will only affect scripts that don't properly sanitize the input. Such > scripts have bigger problems to worry about IMHO. The SSH-related > issue is also insignificant because the bug will be triggered > post-auth... Cheers, The bug can be triggered by Apache and is potentially not limited to CGI alone [1] if /bin/sh links to bash. As others have stated earlier, certain syscalls can also serve as a vector, which implies that simply avoiding CGI (FastCGI, mod_*) may not provide complete resolution. I don't know if Arch is affected, but there's a proof of concept floating around (ab)using dhcpcd's hook scripts [2] to exploit clients on a potentially hostile network. It also appears possible that previous patches have *not* completely fixed the issue [3]. I'm just a user of Arch, and while I agree (to an extent) this issue may be overblown, I certainly don't think sticking our head in the sand, pretending it doesn't exist (or cannot affect us) is a viable long-term solution. That said, I agree with the others here: The primary reason I'd support linking /bin/sh to dash is to favor correctness. From such a standpoint, if a script asks for /bin/sh, it should expect a POSIX-compliant sh and should not rely on bashisms (i.e. I should be able to move it to *BSD or other platforms and it ought to simply work). Therefore, I agree that any improvement in terms of security would be relegated to a convenient side effect. [1] http://security.stackexchange.com/a/68164 [2] https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/ [3] http://seclists.org/oss-sec/2014/q3/741
