Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 29 Sep 2014 22:08:04 -0400
From: Chet Ramey <chet.ramey@...e.edu>
To: cve-assign@...re.org, jwilk@...lk.net
CC: chet.ramey@...e.edu, oss-security@...ts.openwall.com
Subject: Re: Fwd: Non-upstream patches for bash

On 9/29/14, 11:44 AM, cve-assign@...re.org wrote:
>> the parser is not locale-agnostic. Here's an example how it can be
>> exploited:
>> http://bugs.python.org/issue22187
> 
> The discussion in Issue22187 is about changing code in Python 2.x to
> work around this. However, is it useful to assign one new
> CVE-2014-#### ID for Bash, on the expectation that Bash was intended
> to recognize valid characters in zh_CN.GBK, but instead is identifying
> part of a two-byte character as a \ character, and this has security
> implications for products that attempt to do otherwise-correct quoting
> of untrusted strings for use in sh commands?

Can someone send me a test case to look at?

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@...e.edu    http://cnswww.cns.cwru.edu/~chet/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ