oss-sec mailing list archives

Re: CVE-2014-6271: remote code execution through bash

From: Solar Designer <solar () openwall com>
Date: Thu, 25 Sep 2014 20:19:28 +0400

On Thu, Sep 25, 2014 at 11:36:24AM -0400, Chet Ramey wrote:

On 9/24/14, 8:14 PM, Solar Designer wrote:

What about no longer inheriting functions with names that don't contain
any lowercase letters?


It's a heuristic like any other, but I think it's even more obscure and
mysterious than the other suggestions.


I agree.  I only suggested it as an interim measure if you felt that a
more invasive change was not acceptable yet.

I think Florian's prefix-suffix patch is actually a better way to go
(right now, unless there's some drawback I am not yet aware of), and at
a later time function imports should require to be enabled with a
non-default option.

Alexander

Current thread:

Re: CVE-2014-6271: remote code execution through bash, (continued)
- - Re: CVE-2014-6271: remote code execution through bash Jason Cooper (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Jason Cooper (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Jason Cooper (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
  - Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Huzaifa Sidhpurwala (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 26)
    - Re: CVE-2014-6271: remote code execution through bash David A. Wheeler (Sep 26)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)

(Thread continues...)