Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 4 Oct 2014 00:21:36 +0100
From: Riot <rain.backnet@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Shellshock timeline (was: CVE-2014-6271: remote
 code execution through bash)

Correction: *Here's the original post by Linus at the tender age of 21
advertising his first build of linux on the minix newsgroup in 1991:
http://i.imgur.com/1AEKJ7s.png

On 4 October 2014 00:19, Riot <rain.backnet@...il.com> wrote:

> I and a couple of people on IRC (special thanks to rymate1234) carried out
> some code archeology of this earlier as events first unfolded.  Although
> commonly cited in the press as going back to bash 1.13, we confirmed the
> bug exists all the way back to bash 1.05.
>
> We had to do some fairly obscure digging for this, because the old bash
> versions are very difficult to compile on modern setups.  Rather than just
> statically analyse the source, we wanted to actually test various builds.
> We started by building 1996 version of slackware, and got 1.12 and 1.13
> building, confirming the bug existed in 1.12 and earlier.  We also found a
> few binary images containing built versions of 1.12 and confirmed the bug
> existed in those: http://images.rymate.co.uk/images/ihewGLM.png
>
> We then worked further back in time, unearthing bash 1.08.2 on an ancient
> 1991 Atari ST image: http://images.rymate.co.uk/images/iwaSGPo.png  This
> was also vulnerable.  This version is relevant because the first version of
> bash ported to linux was bash 1.08 - here's the original post by Linus at
> the tender age of  advertising his first build of linux on the minix
> newsgroup in 1991, explicitly mentioning bash 1.08.  This datum told us
> that shellshock is older than all of linux, which makes for a nice
> soundbite for the press.
>
> Going back further proved very difficult because few archives including
> these early versions exist anywhere, and by all accounts the early releases
> were buggy and not particularly portable.  We eventually managed to locate
> an image for an obscure Japanese Human68k containing bash 1.05.  Here it
> identifies itself as bash 1.05 X6_19:
> http://images.rymate.co.uk/images/kH8VnTo.png  The file is dated
> 12/08/1991... and of course it's vulnerable:
> http://images.rymate.co.uk/images/zTYm05I.png
>
> That was the earliest release, either source or binary, we were able to
> get hold of.  We were also unable to find any documentation or even casual
> mention of any version between 0.99 and 1.05, and one of few mentions of
> bash 0.99 is the 1989 release announcement by Brian Fox, the original
> developer, at the gnu.announce newsgroup:
> https://groups.google.com/forum/#!topic/gnu.announce/hvhlR1Vn1P0  This
> was announced as a beta, and we've been unable to find any mention of any
> earlier version.  The path to look for is /u2/emacs/bash-0.99.tar.Z but
> we've been unable to locate this in any archives, and at this point
> consider it lost - please do keep an eye out for this file!
>
> If anyone has a way of contacting Brian Fox, he might just have an old
> archive of ancient versions of bash banging around which could put the
> question to rest once and for all - at which point exactly was shellshock
> introduced.  But so far, all indications lead to the implication that the
> bug has been in bash since its very inception in the late 80s, and before
> it was ever released to the public.
>
> Regards,
> Riot
>
> P.S. If any of you publish any of this information, please let me know :)
>
> On 3 October 2014 23:17, Kobrin, Eric <ekobrin@...mai.com> wrote:
>
>> On Oct 3, 2014, at 5:30 PM, Stephane Chazelas <
>> stephane.chazelas@...il.com> wrote:
>>
>> > Sorry, I said in the other email that it was not in 1.12. That's
>> > my memory failing. I remember checking that it was not in 1.05
>> > and it was, which is even more than my memory failing. Chet did
>> > tell me that it was added in 1.13 though. I've now found 1.12
>> > (
>> ftp://ftp.it.xemacs.org/%7BD/unix/packages/NCSA/DEC_Alpha/bash-1.12.tar.Z
>> )
>>
>> No worries.
>>
>> The version I used was at:
>> http://www.oldlinux.org/Linux.old/bin/old/bash-1.05/variables.c
>> Full tar: http://www.oldlinux.org/Linux.old/bin/old/bash-1.05.tar
>>
>> Brian Fox even wrote a UseNet post advertising the feature on September
>> 8th, 1989 -- just over 25 years before you showed the rest of us that it
>> was a vulnerability in disguise:
>>
>> https://groups.google.com/d/msg/gnu.bash.bug/72jXoIWYsfE/jJqC-fjSh0wJ
>>
>> If anyone has a copy of bash-1.02 or bash-1.03, I'd love to see it. It
>> should be floating around some of the old NeXT archives.
>>
>> -- Eric Kobrin
>>
>>
>>
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ