~icyphox/x

1

Re: Simplicity (mostly) guarantees security

Kiëd Llaentenn
Details
Message ID
<C2MB51R3DKAC.4AJ74DL6N3CX@tilde>
DKIM signature
pass
Download raw message
> ...but really, I couldn't think of a better example.

I think I can: bash.

Bash, the 140K LOC monstrosity, who's own DOCUMENTATION aptly describes
as "too big and too slow" [1], has been vunerable to the Shellshock
(aka Bashdoor) security hole. [l]oksh [2], on the other hand, has never
had any sort of remote hole IIRC.

loksh is only 24.8K LOC, almost 6 times smaller than bash. [3]

(It's possible that I'm wrong, and [l]oksh has a bunch of vunerabilities
too, which haven't been exploited solely because [l]oksh usage is far
rarer that bash.)

[1]: a direct quote from the BUGS section of bash(1)
[2]: oksh is the OpenBSD Korn shell, loksh is it's Linux port.
[3]: both measurements were made without taking Makefiles, autoconf,
README's, etc into account.

---
kiedtl

Re: Simplicity (mostly) guarantees security

Details
Message ID
<20200509160337.lTSLU%x@icyphox.sh>
In-Reply-To
<C2MB51R3DKAC.4AJ74DL6N3CX@tilde> (view parent)
DKIM signature
pass
Download raw message
Kiëd Llaentenn <kiedtl@tilde.team> wrote:

> I think I can: bash.

Ah of course. How could I forget!

> Bash, the 140K LOC monstrosity, who's own DOCUMENTATION aptly describes
> as "too big and too slow" [1], has been vunerable to the Shellshock
> (aka Bashdoor) security hole. [l]oksh [2], on the other hand, has never
> had any sort of remote hole IIRC.

Hard agree on ksh. I currently use it on OpenBSD! In fact, the reason I
switched was how sluggish bash was. The difference in speed is night and
day. I do miss some bashisms though...
Export thread (mbox)