[Info-vax] And now bash has a vulnerability Was: Re: Malware in kernel mode OT: Larry Ellison takes retirement as CEO of Oracle

[Johnny Billquist]

On 2014-09-24 23:21, Paul Sture wrote:
> On 2014-09-24, Johnny Billquist <bqt at softjar.se> wrote:
>
>>
>> The code better be VMS-aware, or it most likely will not get anywhere.
>>
>> And noone argued that you cannot find exploits in VMS.
>> I was merely pointing out that any Unix (or Windows, or whatever)
>> exploits are not relevant for VMS. Heck, even buffer overflows in TCP/IP
>> will in all likelyhood be different, and triggered differently than
>> under any other OS. Because even though for TCP/IP, VMS might have
>> ported code from Unix, there will still be changes and differences that
>> are highly relevant when you try to use various bugs for exploits.
>
> But we also have to consider flaws in software ported from *nix.
>
> The one in the headlines today (already patched on Scientific Linux)
> is bash.
>
> "Bash specially-crafted environment variables code injection attack"
>
> <https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>
>
> "Bug in Bash shell creates big security hole on anything with *nix in it"
>
> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>

Indeed. There is a potential when we're talking about ported code. 
However, most time, when we're talking VMS, a port is more than just a 
recompile, if the code does anything interesting.

bash is a typical example of something that, even though possible to get 
running on VMS, will present such a different environment and behavior 
that it becomes a different story than under Unix.
And as the text you quoted says: "anything with *nix in it". Which does 
not mean VMS. :-)

Once more. I am not saying that VMS is particularly safe, just that 
Unix- (or Windows-) centric exploits are not much relevant for VMS.

	Johnny