On 09/26/2014 10:16 AM, Leonid Isaev wrote:
The bugs which started this discussion are not a big deal anyway. They will only affect scripts that don't properly sanitize the input. Such scripts have bigger problems to worry about IMHO. The SSH-related issue is also insignificant because the bug will be triggered post-auth... Cheers,
The bug can be triggered by Apache and is potentially not limited to CGI alone  if /bin/sh links to bash. As others have stated earlier, certain syscalls can also serve as a vector, which implies that simply avoiding CGI (FastCGI, mod_*) may not provide complete resolution.
I don't know if Arch is affected, but there's a proof of concept floating around (ab)using dhcpcd's hook scripts  to exploit clients on a potentially hostile network. It also appears possible that previous patches have *not* completely fixed the issue .
I'm just a user of Arch, and while I agree (to an extent) this issue may be overblown, I certainly don't think sticking our head in the sand, pretending it doesn't exist (or cannot affect us) is a viable long-term solution.
That said, I agree with the others here: The primary reason I'd support linking /bin/sh to dash is to favor correctness. From such a standpoint, if a script asks for /bin/sh, it should expect a POSIX-compliant sh and should not rely on bashisms (i.e. I should be able to move it to *BSD or other platforms and it ought to simply work). Therefore, I agree that any improvement in terms of security would be relegated to a convenient side effect.
 http://security.stackexchange.com/a/68164  https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/  http://seclists.org/oss-sec/2014/q3/741