Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 28 Sep 2014 07:22:14 +0200
From: Hanno Böck <>
To: Chet Ramey <>
Cc: Tavis Ormandy <>,
  Florian Weimer <>,
  Michal Zalewski <>,
  Solar Designer <>,,
  Eric Blake <>
Subject: Re: CVE-2014-6271: remote code execution through

On Sat, 27 Sep 2014 21:39:19 -0400
Chet Ramey <> wrote:

> OK, here are the more-or-less final versions of the patches for
> bash-2.05b through bash-4.3.  I made two changes from earlier today:
> the function export suffix is now `%%', which is not part of a the
> set of valid variable name characters but avoids any potential
> problems with including shell metacharacters in the name; and this
> version refuses to import shell functions whose name contains a
> slash, for reasons I discussed earlier.

From what I can see your official patches still don't contain the
out-of-bound memory fixes.

While not exposing the parser to random variables should shield that
somewhat and reduce impact, they still should be fixed and the redhat
patch looks pretty straightforward.

Hanno Böck


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ