CGI::Application and recent bash security hole

David Cantrell david at cantrell.org.uk
Fri Sep 26 12:06:10 BST 2014


On Thu, Sep 25, 2014 at 05:50:54PM +0100, Dagfinn Ilmari Manns?ker wrote:

> Remember that Perl's system()¹ , as well as C's system() and popen()
> invoke /bin/sh, which may or may not be bash (it is on RedHat-like
> systems, but not on Debian-like systems, for example).

ORLY?

$ ls -l /bin/bash /bin/sh
-rwxr-xr-x    1 root     root       625228 Dec 19  2004 /bin/bash
lrwxrwxrwx    1 root     root            4 Aug 16  2007 /bin/sh -> bash

On *recent* Debian-ish systems sh isn't bash, but it's foolish to assume
that all Debian-ish systems are recent.

-- 
David Cantrell | http://www.cantrell.org.uk/david

"The whole aim of practical politics is to keep the populace alarmed
 (and hence clamorous to be led to safety) by menacing it with an
 endless series of hobgoblins, all of them imaginary"  -- H. L. Mencken


More information about the london.pm mailing list