Date: Sat, 4 Oct 2014 09:19:07 +0100 From: Stephane Chazelas <stephane.chazelas@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) The ChangeLog (http://www.oldlinux.org/Linux.old/bin/old/bash-1.05/ChangeLog) and the usenet discussion that Eric unearthed (https://groups.google.com/d/msg/gnu.bash.bug/72jXoIWYsfE/jJqC-fjSh0wJ) and https://groups.google.com/d/msg/comp.unix.questions/LwsdchovzFY/qokUr2mfCboJ Remove any doubt as to when the bug was introduced (August 1989, released in 1.03) and how it was implemented from the start. The code is very simple, it just replaces the = with a space in the environment entry and interprets it. See also http://unix.stackexchange.com/questions/157381/when-was-the-shellshock-cve-2014-6271-7169-bug-introduced-and-what-is-the-pat/157495#157495 -- Stephane
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ