Re: bash exorcism experiment ('bug' 762923 & 763012)

[Russ Allbery <rra@debian.org>]

shawn wilson <ag4ve.us@gmail.com> writes:
> On Thu, Oct 2, 2014 at 11:33 AM, Russ Allbery <rra@debian.org> wrote:
>> shawn wilson <ag4ve.us@gmail.com> writes:

>>> I hate the idea of dash. It's not more secure (see vmware cve for an
>>> example) and I think it was more of an accident than anything else
>>> this didn't hit dash too.

>> The fact that this specific problem didn't hit dash certainly isn't an
>> accident.  The exploited functionality simply doesn't exist in dash.

> I'm pretty sure dash never got a rewrite? So this just happened to be
> a "feature" that got ripped out of dash.

The feature of exporting functions into the environment and importing them
from the environment has never been implemented in dash or ash so far as I
know.  I don't believe it's been implemented in anything except bash.
It's a bash-specific feature.

That's always been the point in favor of dash: it simply is smaller, has
fewer features, and tries to do much less.  That makes it a weaker
interactive shell for obvious reasons, but that's why it's faster and also
why it is less likely to have security vulnerabilities of this kind.  You
can't have implementation-based security vulnerabilities in code that
doesn't exist for features that aren't implemented.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>