[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

[Chris Angelico]

On Fri, Sep 26, 2014 at 10:29 AM, Devin Jeanpierre
<jeanpierreda at gmail.com> wrote:
> As I understand it, if the attacker can help specify the environment
> (e.g. this is a CGI script), and you run os.system('echo hi'), you can
> get pwned. Even safe uses of os.system are vulnerable unless you point
> /bin/sh at a secure shell (e.g. patched bash).

/bin/sh may well not point to bash anyway - it doesn't on any of my
systems. Debian provides dash instead, much faster than bash. But if
you're invoking a script that calls for bash, then it's vulnerable.

ChrisA