[prev in list] [next in list] [prev in thread] [next in thread] 

List:       autoconf
Subject:    Re: Autoconf Digest, Vol 125, Issue 22
From:       "David A. Wheeler" <dwheeler () dwheeler ! com>
Date:       2014-09-28 17:02:36
Message-ID: E1XYHro-0002v2-C9 () rmm6prod02 ! runbox ! com
[Download RAW message or body]

Eric Blake <eblake@redhat.com> posted on Sat, 27 Sep 2014 18:26:43 -0600:
> There has been a LOT of news about bash's Shell Shock bug lately.
> Document some of the ramifications it has on portable scripting.

Documenting this seems reasonable.

> I'm still debating about adding a sniffer to configure scripts that
> warns users if they still have a vulnerable bash on their system,

I think it'd be reasonable to add some basic detections for easy cases.

For the first 5 shellshock CVEs there's CC0-licensed code you could use her=
e:
  https://github.com/hannob/bashcheck
Fully detecting it can be complex; that author hasn't found a way to
reliably and portably detect at least one case without address sanitizer.
But detecting the first two (CVE-2014-6271 and CVE-2014-7169)
are easy, just snag from:
  https://github.com/hannob/bashcheck/blob/master/bashcheck

A number of people (including me!) want to counter
attacks against development and build environments, e.g.:
https://mailman.stanford.edu/pipermail/liberationtech/2013-June/009257.html
http://www.dwheeler.com/trusting-trust
A reminder might encourage someone to harden their system before it's subve=
rted.

--- David A. Wheeler


[prev in list] [next in list] [prev in thread] [next in thread]