Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 25 Sep 2014 20:15:46 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: chet.ramey@...e.edu
Subject: Re: CVE-2014-6271: remote code execution through bash

On Thu, Sep 25, 2014 at 11:37:45AM -0400, Chet Ramey wrote:
> On 9/24/14, 10:47 PM, Solar Designer wrote:
> > While we're at it, I think it's preferable not to output error messages
> > triggerable by untrusted input, e.g.:
[...]

> I disagree.  It's important for a program -- not just the shell -- to tell
> the user when it attempts to do something on his behalf and is unable to
> do it.

There's obviously a trade-off here.  I agree that keeping the error
messages is the right thing if we can keep them contained to local usage
(and local attack) scenarios under typical setups.  I think applying
Florian's prefix-suffix patch will achieve that (besides its main goal
of actually mitigating most attacks).

What do you think of distros' going with Florian's prefix-suffix patch
right now?  I think it breaks function imports/exports between
pre-patch and post-patch bash versions, but keeps them intact for
patched versions.  Right?  If so, this sounds acceptable for immediate
use by distros.  Do you agree?

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.