[kwlug-disc] Vulnerability in bash

Fri Sep 26 16:06:29 EDT 2014

Ars Technica is reporting that another patch is out now:

http://arstechnica.com/security/2014/09/new-shellshock-patch-rushed-out-to-resolve-gaps-in-first-fix/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29

Say what you want about Linux, the community is very fast to fix things!

On 26 September 2014 15:14, William Park <opengeometry at yahoo.ca> wrote:

> On Fri, Sep 26, 2014 at 11:27:55AM -0400, Giles Malet wrote:
> > On 14-09-25 07:18 PM, William Park wrote:
> > >If the command is built-in, then shell runs it.
> >
> > We're getting somewhat off topic, but bash will start subshells for
> certain
> > loops. I can't remember off the top of my head which, but I know to be
> > carefully of variable assignment within a loop, since if it's done in a
> > subshell the assignment is lost.
> >
> > Some thing like:
> >
> > A="a"; loop ... A=b ... end loop; echo $A
> >
> > produces "a", not "b", since that second assignment is lost.
>
> That would be if the loop is part of pipe, because each part is separate
> process, ie. fork/exec with consecutive parts connected to each other by
> pipe.
>
> >
> > But it's true what people have said: because of all this your running
> shell
> > is probably pretty safe from being 0wned; subshells are vulnerable,
> unless
> > you have a new binary.
> >
> > g
> >
> >
> > _______________________________________________
> > kwlug-disc mailing list
> > kwlug-disc at kwlug.org
> > http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140926/8d6f431f/attachment.htm>