From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Fri, 26 Sep 2014 16:32:12 +0000 Message-ID: <20140926163212.Horde.kuocVrN6KLWBJ9UPAJ0X3Q1@ssl.eumx.net> From: Kurt H Maier To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> References: In-Reply-To: User-Agent: Internet Messaging Program (IMP) H5 (6.1.6) Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes MIME-Version: 1.0 Content-Disposition: inline Subject: Re: [9fans] shell functions Topicbox-Message-UUID: 172a7698-ead9-11e9-9d60-3106f5b1d025 Quoting Russ Cox : > The right fix is to eliminate all possible interaction between (1) and (2). > The first public fix focused instead on making (1) more robust, and guess > what, it wasn't good enough and now there is a *second* CVE about this > problem, and a *second* attempt at making (1) more robust. It is almost > certainly too late to change CGI, but bash could be changed to just ignore > CGI's variables (HTTP_*), and I hope that's what will eventually happen. > I'm not holding my breath: I bet we'll see a cascade of patches trying to > make this interaction "safe" instead of removing it. > This is a heartbreakingly web-centric view of these issues. The real problem is that bash was evaling stuff that had () { in it, and it is very, very much not relegated to CGI use. There are exploits in the wild for both DHCP and ssh. Obviously bash is an awful shell, but munging it for apache is not the right answer to anything. khm