CGI::Application and recent bash security hole
David Cantrell
david at cantrell.org.uk
Fri Sep 26 12:06:10 BST 2014
On Thu, Sep 25, 2014 at 05:50:54PM +0100, Dagfinn Ilmari Manns?ker wrote:
> Remember that Perl's system()¹ , as well as C's system() and popen()
> invoke /bin/sh, which may or may not be bash (it is on RedHat-like
> systems, but not on Debian-like systems, for example).
ORLY?
$ ls -l /bin/bash /bin/sh
-rwxr-xr-x 1 root root 625228 Dec 19 2004 /bin/bash
lrwxrwxrwx 1 root root 4 Aug 16 2007 /bin/sh -> bash
On *recent* Debian-ish systems sh isn't bash, but it's foolish to assume
that all Debian-ish systems are recent.
--
David Cantrell | http://www.cantrell.org.uk/david
"The whole aim of practical politics is to keep the populace alarmed
(and hence clamorous to be led to safety) by menacing it with an
endless series of hobgoblins, all of them imaginary" -- H. L. Mencken
More information about the london.pm
mailing list