Re: Dash as default shell

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Oct 02, 2014 at 11:59:54 -0400,
 Miloslav Trmač <mitr@xxxxxxxxxx> wrote:

As I said in the snipped part, anyone able to submit arbitrary input to a shell can already cause it to do arbitrary things. The parser bugs do not give the attacker anything they don’t already have, so they are not security-relevant. So we are back to the philosophical discussion about where is the vulnerability in putting untrusted data into the environment.

I think the disconnect there was that people assumed that as long as you controlled which environment variables (by name) were passed you were OK. It was assumed that the values weren't processed outside of what you explicitly did.

Unless the defining functions in environment values feature is disabled, this expectation is still broken, regardless of the parser fix. And I wouldn't be surprised if more issues come up in the future because of it.
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux