bash velnerability
Peter Pentchev
roam at ringlet.net
Thu Oct 2 08:22:15 UTC 2014
On Wed, Oct 01, 2014 at 06:58:58PM +0200, gabor at zahemszky.hu wrote:
> 2014-09-30 23:48 időpontban Jason Hellenthal ezt írta:
> >I would agree with that. Considering the korn shell was found out to
> >be importing functions from bash this morning that it does not
> >completely know how to interpret goes to say that there is a much
> >bigger issue at face here than the mere sys admins can begin to fathom
> >quite yet.
>
> Can you provide us links to this Korn-shell problem?
I think that Jason may have been referring to the discussion at:
https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00350.html
It talks about ksh misimporting environment variables in general,
not just Bash functions.
> And which
> version of Korn-shell are you talking about? Eg. in FreeBSD ports,
> we have at least three different type of kshs:
>
> shells/ksh93 - the original, from AT&T's David Korn
> shells/pdksh - a public domain reimplementation of the old ksh88
> shells/mksh - the MirBSD's Korn-shell (a fork of pdksh)
Well, the test with the following command:
env 'a|b=1' ksh -c 'set' | fgrep -e 'a|b'
...shows that ksh93 is vulnerable, pdksh and mksh are not.
G'luck,
Peter
--
Peter Pentchev roam at ringlet.net roam at FreeBSD.org p.penchev at storpool.com
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20141002/75720f1f/attachment.sig>
More information about the freebsd-security
mailing list