Date: Thu, 5 Jun 2014 22:51:39 -0400 From: Jeffrey Walton <noloader@...il.com> To: Hector Marco <hecmargi@....es> Cc: oss-security@...ts.openwall.com, Full Disclosure List <fulldisclosure@...lists.org>, bugs@...uritytracker.com, BugTraq <bugtraq@...urityfocus.com> Subject: Re: [FD] Bug in bash <= 4.3 [security feature bypassed] > 2014-06-03 16:16 GMT+02:00 Hector Marco <hecmargi@....es>: > > Hi everyone, > > Recently we discovered a bug in bash. After some time after reporting > it to bash developers, it has not been fixed. > > We think that this is a security issue because in some circumstances > the bash security feature could be bypassed allowing the bash to be a > valid target shell in an attack. > > We strongly recommend to patch your bash code. > > Why don't fix this bug by simple adding mandatory "if" clause ? > Any comments about this issue are welcomed. > > > Details at: > http://hmarco.org/bugs/bash_4.3-setuid-bug.html It looks like Rage Against The Cage has been rediscovered. Also known as Android ADB Setuid bug. Jeff
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ