CGI::Application and recent bash security hole

David Cantrell david at
Fri Sep 26 12:06:10 BST 2014

On Thu, Sep 25, 2014 at 05:50:54PM +0100, Dagfinn Ilmari Manns?ker wrote:

> Remember that Perl's system()¹ , as well as C's system() and popen()
> invoke /bin/sh, which may or may not be bash (it is on RedHat-like
> systems, but not on Debian-like systems, for example).


$ ls -l /bin/bash /bin/sh
-rwxr-xr-x    1 root     root       625228 Dec 19  2004 /bin/bash
lrwxrwxrwx    1 root     root            4 Aug 16  2007 /bin/sh -> bash

On *recent* Debian-ish systems sh isn't bash, but it's foolish to assume
that all Debian-ish systems are recent.

David Cantrell |

"The whole aim of practical politics is to keep the populace alarmed
 (and hence clamorous to be led to safety) by menacing it with an
 endless series of hobgoblins, all of them imaginary"  -- H. L. Mencken

More information about the mailing list