Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 24 Sep 2014 21:23:17 -0400
From: Chet Ramey <chet.ramey@...e.edu>
To: Solar Designer <solar@...nwall.com>, oss-security@...ts.openwall.com
CC: chet.ramey@...e.edu, Tavis Ormandy <taviso@...xchg8b.com>
Subject: Re: CVE-2014-6271: remote code execution through bash

On 9/24/14, 5:32 PM, Solar Designer wrote:
> On Wed, Sep 24, 2014 at 11:27:09PM +0200, Hanno B??ck wrote:
>> Tavis Ormandy just tweetet this:
>> https://twitter.com/taviso/status/514887394294652929
>>
>> The bash patch seems incomplete to me, function parsing is still
>> brittle. e.g. $ env X='() { (a)=>\' sh -c "echo date"; cat echo
> 
> Thanks for bringing this to oss-security.  I've added CC to Chet and
> Tavis on this "reply".

I have a fix for this.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@...e.edu    http://cnswww.cns.cwru.edu/~chet/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ