Date: Sat, 4 Oct 2014 15:22:49 +0200 From: Hanno Böck <hanno@...eck.de> To: Riot <rain.backnet@...il.com> Cc: oss-security@...ts.openwall.com Subject: Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Am Sat, 4 Oct 2014 00:19:06 +0100 schrieb Riot <rain.backnet@...il.com>: > We then worked further back in time, unearthing bash 1.08.2 on an > ancient 1991 Atari ST image: > http://images.rymate.co.uk/images/iwaSGPo.png This was also > vulnerable. This version is relevant because the first version of > bash ported to linux was bash 1.08 - here's the original post by > Linus at the tender age of advertising his first build of linux on > the minix newsgroup in 1991, explicitly mentioning bash 1.08. This > datum told us that shellshock is older than all of linux, which makes > for a nice soundbite for the press. > > Going back further proved very difficult because few archives > including these early versions exist anywhere, and by all accounts > the early releases were buggy and not particularly portable. We > eventually managed to locate an image for an obscure Japanese > Human68k containing bash 1.05. Here it identifies itself as bash > 1.05 X6_19: http://images.rymate.co.uk/images/kH8VnTo.png The file > is dated 12/08/1991... and of course it's vulnerable: > http://images.rymate.co.uk/images/zTYm05I.png Can you post the relevant download links to the atari st / 68k images and other possibly interesting stuff? Or where they from private archives? I think independently of current events this might be interesting for people digging in IT history, so having them somewhere easy to find would be nice. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ