David A. Wheeler
2014-09-28 17:02:36 UTC
There has been a LOT of news about bash's Shell Shock bug lately.
Document some of the ramifications it has on portable scripting.
Documenting this seems reasonable.Document some of the ramifications it has on portable scripting.
I'm still debating about adding a sniffer to configure scripts that
warns users if they still have a vulnerable bash on their system,
I think it'd be reasonable to add some basic detections for easy cases.warns users if they still have a vulnerable bash on their system,
For the first 5 shellshock CVEs there's CC0-licensed code you could use here:
https://github.com/hannob/bashcheck
Fully detecting it can be complex; that author hasn't found a way to
reliably and portably detect at least one case without address sanitizer.
But detecting the first two (CVE-2014-6271 and CVE-2014-7169)
are easy, just snag from:
https://github.com/hannob/bashcheck/blob/master/bashcheck
A number of people (including me!) want to counter
attacks against development and build environments, e.g.:
https://mailman.stanford.edu/pipermail/liberationtech/2013-June/009257.html
http://www.dwheeler.com/trusting-trust
A reminder might encourage someone to harden their system before it's subverted.
--- David A. Wheeler