oss-security - Re: Fwd: Non-upstream patches for bash

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Thu, 25 Sep 2014 23:37:12 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com, chet.ramey@...e.edu
Subject: Re: Fwd: Non-upstream patches for bash

On 09/25/2014 11:26 PM, Solar Designer wrote:
> On Thu, Sep 25, 2014 at 11:19:24PM +0530, Huzaifa Sidhpurwala wrote:
>> Based on the current situation and the fact that there is confusion
>> about what patch to use for the bash issue. I wanted to post this here.
>
> Thanks!
>
>> From: Florian Weimer <fweimer@...hat.com>
> [...]
>> Internal analysis revealed two out-of-bounds array accesses in the bash
>> parser.  This was also independently and privately reported by Todd
>> Sabin <tsabin@...online.net>.
>
> Have these been reported upstream?
>
Nope, but i just cced Chet on it now :)

> What's the oldest version of bash affected by them?
>
> Your reproducers didn't trigger any obvious misbehavior here with 3.1.8
> with lots of unrelated patches.  Of course, this does not mean much, but
> maybe these issues are in fact 3.2+?
>
Yes 3.2+, i have not checked older versions though.

> Alexander
>


-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.