[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: bash exorcism experiment ('bug' 762923 & 763012)

On Thu, Oct 2, 2014 at 11:33 AM, Russ Allbery <rra@debian.org> wrote:
> shawn wilson <ag4ve.us@gmail.com> writes:
>
>> I hate the idea of dash. It's not more secure (see vmware cve for an
>> example) and I think it was more of an accident than anything else this
>> didn't hit dash too.
>
> The fact that this specific problem didn't hit dash certainly isn't an
> accident.  The exploited functionality simply doesn't exist in dash.
>

I'm pretty sure dash never got a rewrite? So this just happened to be
a "feature" that got ripped out of dash. I'm not sure why it got
ripped out, but I'm pretty certain it wasn't because the devs saw a
security issue here (I should go looking to see if there's a public
repo and see if I can find where the "feature" was removed and why).

Now, if you're right and this was removed in dash because of a
security concern, that'd be more interesting than my theory that they
just got lucky.
Reply to: