anti-shellshock suggestions

Mon Sep 29 06:35:22 PDT 2014

	New exploit variants (CVE-2014-6278), this looks like the vuln that'll keep on giving until bash has a more fundamental fix decided upon. In the mean time, would it be worth giving any consideration to the NetBSD patch that simply disables default environmental function importing? Both NetBSD and FreeBSD have adopted that as an interim solution:
• http://seclists.org/oss-sec/2014/q3/755
• http://seclists.org/oss-sec/2014/q3/802
• https://svnweb.freebsd.org/ports/head/shells/bash/files/extrapatch-import-functions?revision=369467&view=co&pathrev=369467
	A variant with that patch seems like a promising approach to avoid the whack-a-mole game. In that thread they discuss simply abandoning backwards compatibility entirely and removing it, but arguments either way and that seems like a step too far for MacPorts as well. But making it an explicit flag/warning might be a good compromise.

On Sep 29, 2014, at 0453 , René J.V. Bertin <rjvbertin at gmail.com> wrote:
> - how about adding a variant to the bash (and dash) portfiles allowing users to copy the MacPorts version into /bin (moving the original version to something like bash.macportsBackup if that backup doesn't yet exist)?

Beyond what Rainer Müller said, what do you mean "allowing"? There's nothing stopping you from just copying it over or linking it yourself while renaming/-x'ing the standard ones. You'll have to test your own setup of course, but it should be trivial to revert, and FWIW I saw no issues after giving it a shot in a few VMs and a test system.