Date: Sun, 19 Oct 2014 17:34:14 -0400 From: Chet Ramey <chet.ramey@...e.edu> To: cve-assign@...re.org, jwilk@...lk.net CC: chet.ramey@...e.edu, oss-security@...ts.openwall.com Subject: Re: Fwd: Non-upstream patches for bash -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/29/14 11:44 AM, cve-assign@...re.org wrote: >> the parser is not locale-agnostic. Here's an example how it can be >> exploited: >> http://bugs.python.org/issue22187 That's not actually an exploit, or even a bug. > The discussion in Issue22187 is about changing code in Python 2.x to > work around this. However, is it useful to assign one new > CVE-2014-#### ID for Bash, on the expectation that Bash was intended > to recognize valid characters in zh_CN.GBK, but instead is identifying > part of a two-byte character as a \ character, and this has security > implications for products that attempt to do otherwise-correct quoting > of untrusted strings for use in sh commands? This is exactly the opposite of what is happening. The test in the link (message 226439) shows that bash and ksh are properly reading valid multibyte characters in the input and not treating backslashes that are the second byte of a multibyte character as escape characters. The other shells, presumably not multibyte-character-aware at all, incorrectly allow that backslash to escape the closing double quote. Posix is very careful to specify that the shell reads characters, and uses characters when deciding how to tokenize the input, instead of bytes. If those characters are multibyte, the shell is expected to read multiple bytes. Are you proposing that a multibyte character whose second byte happens to be a `|' should start a pipeline? Chet - -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRU chet@...e.edu http://cnswww.cns.cwru.edu/~chet/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlRELlYACgkQu1hp8GTqdKtEsACfYyDVqQoaC2gTjQZhHTXWlSV3 iAsAn3EQrDeHo3ldByfbYgrGixYgZL+B =kgf1 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ