Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 3 Oct 2014 17:17:20 -0500
From: "Kobrin, Eric" <ekobrin@...mai.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: Shellshock timeline (was: CVE-2014-6271: remote
 code execution through bash)

On Oct 3, 2014, at 5:30 PM, Stephane Chazelas <stephane.chazelas@...il.com> wrote:

> Sorry, I said in the other email that it was not in 1.12. That's
> my memory failing. I remember checking that it was not in 1.05
> and it was, which is even more than my memory failing. Chet did
> tell me that it was added in 1.13 though. I've now found 1.12
> (ftp://ftp.it.xemacs.org/%7BD/unix/packages/NCSA/DEC_Alpha/bash-1.12.tar.Z)

No worries.

The version I used was at: http://www.oldlinux.org/Linux.old/bin/old/bash-1.05/variables.c
Full tar: http://www.oldlinux.org/Linux.old/bin/old/bash-1.05.tar

Brian Fox even wrote a UseNet post advertising the feature on September 8th, 1989 -- just over 25 years before you showed the rest of us that it was a vulnerability in disguise:

https://groups.google.com/d/msg/gnu.bash.bug/72jXoIWYsfE/jJqC-fjSh0wJ

If anyone has a copy of bash-1.02 or bash-1.03, I'd love to see it. It should be floating around some of the old NeXT archives.

-- Eric Kobrin

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.