christos%zoulas.com@localhost (Christos Zoulas) writes:
> On Sep 26, 10:39am, obata%lins.jp@localhost ("OBATA Akio") wrote:
> -- Subject: Re: CVS commit: pkgsrc/shells/bash
>
> | Where this "new feature, change default behaviour" came from (in pkgsrc feature freeze)?
>
> Me. This is a security fix. There are currently:
>
> - 2 CVE's
> - 1 official patch for one CVS
> - 1 unofficial one that fixes one regression by the official patch
> - a second regression POC
>
> There is active discussion about adding prefixes and suffixes to
> prevent parsing errors. I am definitely not going to wait for the
> ultimate fix to come when there are active exploits in the wild
> and unknown attack vectors. AKAMAI implemented something similar
> (disabled the feature completely).
>
> If you don't like it, bring it up with the pkgsrc gods. I am trying to
> protect the innocent public the best way I can.
In an ideal world this would have been discussed ahead of time, but the
bug hit near the end of the freeze. Still, there was 4-12 hours for "I
think we should do X" and IMHO that should have happened
My reaction was that it's completely nuts for bash to read function
definitions from the environment, so I'm fine with disabling this
apparent misfeature. And I agree with Christos's assessemnt that this
code is too fragile to have confident in the bug fixes.
Overall, I think that if we had had the discussion, we'd have ended up
solidly at disable-this-misfeature. So I think the current state is
ok.
Attachment:
pgpZwUdw5z06d.pgp
Description: PGP signature