Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Oct 2014 22:30:59 +0100
From: Stephane Chazelas <stephane.chazelas@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Shellshock timeline (was: CVE-2014-6271: remote code execution
 through bash)

2014-10-03 14:48:19 -0500, Kobrin, Eric:
> I've found the shellshock vulnerable code in archives claiming to contain bash 1.05, which also claim to be from 1990 or 1989.
> I was unable to find the source for anything claiming older than 1.05.
[...]

Sorry, I said in the other email that it was not in 1.12. That's
my memory failing. I remember checking that it was not in 1.05
and it was, which is even more than my memory failing. Chet did
tell me that it was added in 1.13 though. I've now found 1.12
(ftp://ftp.it.xemacs.org/%7BD/unix/packages/NCSA/DEC_Alpha/bash-1.12.tar.Z)

and it was there indeed and the ChangeLog also in 1.05 has:

Sat Aug  5 08:32:05 1989  Brian Fox  (bfox at aurel)

        * variables.c: make_var_array (), initialize_shell_variables ()
          Added exporting of functions.


And:

Fri Sep  1 18:52:08 1989  Brian Fox  (bfox at aurel)
[...]
        * I update this too irregularly.
          Released 1.03.


So the feature has indeed been there for over a quarter of a
century since 1.03, and Chet and I have spread misconceptions by
saying that it was added circa 1993.

-- 
Stephane

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.