[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on nx and OSX (original) (raw)

Chris Angelico rosuav at gmail.com
Fri Sep 26 02:33:07 CEST 2014

• Previous message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Next message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Sep 26, 2014 at 10:29 AM, Devin Jeanpierre <jeanpierreda at gmail.com> wrote:

As I understand it, if the attacker can help specify the environment (e.g. this is a CGI script), and you run os.system('echo hi'), you can get pwned. Even safe uses of os.system are vulnerable unless you point /bin/sh at a secure shell (e.g. patched bash).

/bin/sh may well not point to bash anyway - it doesn't on any of my systems. Debian provides dash instead, much faster than bash. But if you're invoking a script that calls for bash, then it's vulnerable.

ChrisA

• Previous message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Next message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list