Re: bash exorcism experiment ('bug' 762923 & 763012)
On Thu, Oct 2, 2014 at 11:33 AM, Russ Allbery <rra@debian.org> wrote:
> shawn wilson <ag4ve.us@gmail.com> writes:
>
>> I hate the idea of dash. It's not more secure (see vmware cve for an
>> example) and I think it was more of an accident than anything else this
>> didn't hit dash too.
>
> The fact that this specific problem didn't hit dash certainly isn't an
> accident. The exploited functionality simply doesn't exist in dash.
>
I'm pretty sure dash never got a rewrite? So this just happened to be
a "feature" that got ripped out of dash. I'm not sure why it got
ripped out, but I'm pretty certain it wasn't because the devs saw a
security issue here (I should go looking to see if there's a public
repo and see if I can find where the "feature" was removed and why).
Now, if you're right and this was removed in dash because of a
security concern, that'd be more interesting than my theory that they
just got lucky.
Reply to: