Date: Mon, 29 Sep 2014 22:08:04 -0400 From: Chet Ramey <chet.ramey@...e.edu> To: cve-assign@...re.org, jwilk@...lk.net CC: chet.ramey@...e.edu, oss-security@...ts.openwall.com Subject: Re: Fwd: Non-upstream patches for bash On 9/29/14, 11:44 AM, cve-assign@...re.org wrote: >> the parser is not locale-agnostic. Here's an example how it can be >> exploited: >> http://bugs.python.org/issue22187 > > The discussion in Issue22187 is about changing code in Python 2.x to > work around this. However, is it useful to assign one new > CVE-2014-#### ID for Bash, on the expectation that Bash was intended > to recognize valid characters in zh_CN.GBK, but instead is identifying > part of a two-byte character as a \ character, and this has security > implications for products that attempt to do otherwise-correct quoting > of untrusted strings for use in sh commands? Can someone send me a test case to look at? -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRU chet@...e.edu http://cnswww.cns.cwru.edu/~chet/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ