bash security hole

accessys at smart.net accessys at smart.net
Sun Sep 28 02:55:01 UTC 2014 

I am often called a neadrathal and still occasionally use PICO

I have gotten two patches for Bash in the last two days from kubuntu site

Bob


On Sat, 27 Sep 2014, Steve Riley wrote:

> Date: Sat, 27 Sep 2014 19:26:14 -0700
> From: Steve Riley <steve at rileyz.net>
> Reply-To: Kubuntu user technical support <kubuntu-users at lists.ubuntu.com>
> To: Kubuntu user technical support <kubuntu-users at lists.ubuntu.com>
> Subject: Re: bash security hole
> 
> On 2014-09-27 08:55:01 Scott DuBois <sdubois at linux.com> wrote:
>>
>> Thanks Steve, but isn't dash public facing through the servers while
>> bash is not (at least by default anyway).
>>
>> _from another mailing list_:
>>
>> "If I understand correctly, the general path to execution is any external
>> calls to bash explicitly, or to /bin/sh in any fashion, most notably via
>> the system(3) syscall.  Amirite?  So, first point, /bin/sh doesn't need
>> to be bash.  On Debian[1]/*buntu[2] systems by default, it's been dash
>> (Debian Almquist shell, a variant of the lightweight Bourne-compatible
>> Almquist shell 'ash') for many years, because dash is smaller, faster, and
>> -- ta da!  -- less feature-bloated hence less likely to be involved in
>> security problems."
>
> Not exactly sure what you may mean by "public facing." The author of a script can specify whatever shell he/she wishes for executing any script. You'll see this in the first line. For instance, scripts that begin with
>
> #!/bin/bash
>
> Will use Bash to execute. Scripts that begin with
>
> #!/bin/sh
>
> Will use sh. On Debian/Ubuntu, /bin/sh is a symbolic link to /bin/dash. The #! notation is called a "shebang"; read more at https://en.wikipedia.org/wiki/Shebang_(Unix).
>
> Bash is the default login shell for Debian and Ubuntu. It's also used by quite a number of scripts in the system. You check this for yourself:
>
> user at host:~$ grep -R '#!/bin/bash' /bin /sbin /usr/bin /usr/sbin
>
> Notably, /sbin/dhclient-script is the one that seems to allow malicious DNS servers to attack a target machine.
>
>
> ...Steve
>
>
> --
> kubuntu-users mailing list
> kubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-users
>

More information about the kubuntu-users mailing list