[arch-general] A good time to switch to dash as /bin/sh?
Maarten de Vries
maarten at de-vri.es
Fri Sep 26 16:24:43 UTC 2014
On 26 September 2014 18:16, Leonid Isaev <lisaev at umail.iu.edu> wrote:
> ---
>
> So, yes ArchLinux core tools use and will continue to use 'bashisms'
> because
> they are convenient. The bugs which started this discussion are not a big
> deal
> anyway. They will only affect scripts that don't properly sanitize the
> input.
> Such scripts have bigger problems to worry about IMHO. The SSH-related
> issue is
> also insignificant because the bug will be triggered post-auth...
>
>
I very much disagree with that statement. Any ssh key with an attached
force-command could be used to execute arbitrary commands.
Then there is dhclient which passes information to scripts in environment
variables, meaning that dhcp servers (for example on a public network)
could execute commands on vulnerable clients. I would say both are a big
deal and they are just two examples.
But as said by others, the recent bash vulnerability has been fixed and
that was not the point of this discussion anyway.
More information about the arch-general
mailing list