Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 29 Sep 2014 22:08:04 -0400
From: Chet Ramey <>
Subject: Re: Fwd: Non-upstream patches for bash

On 9/29/14, 11:44 AM, wrote:
>> the parser is not locale-agnostic. Here's an example how it can be
>> exploited:
> The discussion in Issue22187 is about changing code in Python 2.x to
> work around this. However, is it useful to assign one new
> CVE-2014-#### ID for Bash, on the expectation that Bash was intended
> to recognize valid characters in zh_CN.GBK, but instead is identifying
> part of a two-byte character as a \ character, and this has security
> implications for products that attempt to do otherwise-correct quoting
> of untrusted strings for use in sh commands?

Can someone send me a test case to look at?

``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ