[GLLUG] Bash Bug

Karanbir Singh mail-lists at karan.org
Thu Sep 25 22:27:31 UTC 2014


On 09/25/2014 10:44 PM, Alain Williams wrote:
> On Thu, Sep 25, 2014 at 10:38:32PM +0100, Alain Williams wrote:
>> ....
> 
> FYI: something referenced from the SElinux mail list:
> 
>     https://danwalsh.livejournal.com/71122.html
> 

this is a great post on how SELinux can help overall in situations like
this as well.

the other thing that is important to note here is that there is -lots-
of software out there that uses system() calls to do things, every one
of those is potentially at risk here; nagios / gitweb etc are just a tip
of the iceberg. There is plenty of desktop / app grade software that
does this as well.

So, although I agree that bash for cgi-scripts is just completely
whacked out, in many cases the issue is being inherited from other code,
that does the system shell out.

btw, sky hd+ box's running linux... also exploiteable.

-- 
Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc




More information about the GLLUG mailing list