From: TJ Luoma <luomat@gmail.com>
To: "William G. Scott" <wgscott@ucsc.edu>
Cc: Peter Stephenson <p.stephenson@samsung.com>,
Zsh-Users List <zsh-users@zsh.org>
Subject: Re: Does the bash bug have a zsh counterpart?
Date: Thu, 25 Sep 2014 13:29:01 -0400 [thread overview]
Message-ID: <CADjGqHtMs4hfoNtF0Yq331W7y93Gi6tJKH3zOsdrRtmyUAEi2g@mail.gmail.com> (raw)
In-Reply-To: <30A8659B-9D25-4A83-BCA6-829A25FCA89D@ucsc.edu>
I realize this is pretty nearly off-topic but considering the
seriousness of this bug I’ll mention it anyway:
If you use OS X there are instructions on building your own version
from (patched) source here
http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7/146851#146851
I have used that to make a (zsh!) shell script here:
https://github.com/tjluoma/bash-fix
But do note that there is another bash vulnerability (mentioned on the
StackExchange site) which has yet to be patched. I’ll be updating my
GitHub script as new patches become available until Apple releases an
official fix.
TjL
On Thu, Sep 25, 2014 at 12:53 PM, William G. Scott <wgscott@ucsc.edu> wrote:
>
> On Sep 25, 2014, at 9:41 AM, Peter Stephenson <p.stephenson@samsung.com> wrote:
>
>> On Thu, 25 Sep 2014 09:35:01 -0700
>> "William G. Scott" <wgscott@ucsc.edu> wrote:
>>> Does any version of zsh have the same issue as bash, reported eg at
>>>
>>> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
>>
>> No, search the zsh-workers archive at www.zsh.org for the last day or
>> so.
>>
>>> I was thinking of temporarily replacing sh and bash on OS X with zsh
>>> until a security fix is offered.
>>
>> If so, make sure you alias it to sh or otherwise cause it to come up in
>> POSIX mode.
>>
>> Dash might be a better bet as it's more widely used for such things.
>>
>> pws
>
> Thanks. I decided to try living life on the edge, backed up the old versions of sh and bash, and made hard links to the system zsh. (About 10 years ago I found a hard link to a then nonexistent ksh behaved properly whereas a symbolic link for whatever reason didn’t). I’ve done this on 10.10b and 10.9 and rebooted and things appear to be working without issue. So far. (At the very least, it might be entertaining to see where this might go wrong.)
next prev parent reply other threads:[~2014-09-25 17:29 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-25 16:35 William G. Scott
2014-09-25 16:41 ` Peter Stephenson
2014-09-25 16:45 ` shawn wilson
2014-09-25 16:53 ` William G. Scott
2014-09-25 17:29 ` TJ Luoma [this message]
2014-09-26 5:46 ` Hardlinks (was: Re: Does the bash bug have a zsh counterpart?) Dirk Heinrichs
2014-09-26 15:02 ` William G. Scott
2014-09-25 16:41 ` Does the bash bug have a zsh counterpart? Jérémie Roquet
2014-09-25 16:42 ` shawn wilson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CADjGqHtMs4hfoNtF0Yq331W7y93Gi6tJKH3zOsdrRtmyUAEi2g@mail.gmail.com \
--to=luomat@gmail.com \
--cc=p.stephenson@samsung.com \
--cc=wgscott@ucsc.edu \
--cc=zsh-users@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).