oss-sec mailing list archives
Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash)
From: Stephane Chazelas <stephane.chazelas () gmail com>
Date: Sat, 4 Oct 2014 09:19:07 +0100
The ChangeLog (http://www.oldlinux.org/Linux.old/bin/old/bash-1.05/ChangeLog) and the usenet discussion that Eric unearthed (https://groups.google.com/d/msg/gnu.bash.bug/72jXoIWYsfE/jJqC-fjSh0wJ) and https://groups.google.com/d/msg/comp.unix.questions/LwsdchovzFY/qokUr2mfCboJ Remove any doubt as to when the bug was introduced (August 1989, released in 1.03) and how it was implemented from the start. The code is very simple, it just replaces the = with a space in the environment entry and interprets it. See also http://unix.stackexchange.com/questions/157381/when-was-the-shellshock-cve-2014-6271-7169-bug-introduced-and-what-is-the-pat/157495#157495 -- Stephane
Current thread:
- Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) David A. Wheeler (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Kobrin, Eric (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Stephane Chazelas (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Kobrin, Eric (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Riot (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Riot (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Stephane Chazelas (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Hanno Böck (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Steve Jones (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Lance Davis (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) David A. Wheeler (Oct 05)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Eric Blake (Oct 06)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Stephane Chazelas (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Kobrin, Eric (Oct 03)
- Re: Shellshock timeline Stephane Chazelas (Oct 03)
- Stéphane Chazelas: How *DID* you find Shellshock? David A. Wheeler (Oct 08)
- Re: Stéphane Chazelas: How *DID* you find Shellshock? stephane.chazelas (Oct 08)