oss-sec mailing list archives
Re: [security-vendor] Re: [oss-security] Fwd: Non-upstream patches for bash
From: Mark Hatle <mark.hatle () windriver com>
Date: Thu, 25 Sep 2014 17:26:42 -0500
On 9/25/14, 5:13 PM, Marc Deslauriers wrote:
On 14-09-25 01:49 PM, Huzaifa Sidhpurwala wrote:Hi All, Based on the current situation and the fact that there is confusion about what patch to use for the bash issue. I wanted to post this here. We have found a few more issues (OOB memory access). Also I am posting Florain's patch here which should fix the issue in a more deeper way rather than just apply duct-tape.Could we please get two CVE numbers assigned for the two OOB memory issues?
Using the two patches, CVE-2014-6271 and the one line eol-pushback.patch, I am not able to reproduce what I expect should be happing with bash 4.2.
Should I be seeing a problem with the reproducers that were mentioned in an earlier piece of this thread, either:
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' or(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) > test-script.sh $ bash test-script.sh
The first one gives me a series of:bash: line 1: warning: here-document at line 1 delimited by end-of-file (wanted `EO')
But does not result in a segfault.. (perhaps my memory layout/allocations just happen to be avoiding that)
And the test-script.sh runs w/o segfault or other error being present.. again maybe I'm lucky?
(Or am I simply missing something in the reproducer steps?) Mark Hatle Wind River Systems
Current thread:
- Re: Fwd: Non-upstream patches for bash, (continued)
- Re: Fwd: Non-upstream patches for bash Michael Samuel (Sep 28)
- Re: Fwd: Non-upstream patches for bash Sven Kieske (Sep 28)
- Re: [langsec-discuss] [oss-security] Fwd: Non-upstream patches for bash Paul Burchard (Sep 29)
- Re: Fwd: Non-upstream patches for bash Bernhard Hermann (Sep 29)
- Re: Fwd: Non-upstream patches for bash Ed Prevost (Sep 29)
- Re: Fwd: Non-upstream patches for bash Jakub Wilk (Sep 29)
- Re: Fwd: Non-upstream patches for bash cve-assign (Sep 29)
- Re: Fwd: Non-upstream patches for bash Chet Ramey (Sep 29)
- Re: [security-vendor] Re: [oss-security] Fwd: Non-upstream patches for bash Mark Hatle (Sep 26)
- Re: Re: Non-upstream patches for bash John Haxby (Sep 26)
- Re: Re: Non-upstream patches for bash Ángel González (Sep 26)
- Re: Array importing in bash 4.3 (was: Re: [oss-security] Fwd: Non-upstream patches for bash) Kobrin, Eric (Sep 29)
- Re: Array importing in bash 4.3 Florian Weimer (Sep 29)
- Re: Array importing in bash 4.3 Kobrin, Eric (Sep 29)