Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 26 Sep 2014 11:47:49 +0100
From: John Haxby <>
Subject: Re: Re: Non-upstream patches for bash

On 26/09/14 01:23, Ángel González wrote:
> Forwarding to the oss-security thread the patch I sent to bug-bash 
> 1 hour ago.
> The trick here is to delay parsing of functions coming from the
> environment until they are actually needed.
> Thus extra code (CVE-2014-6271) or even a parsing vulnerability like
> CVE-2014-7169 won't be triggered unless you attempt to run the exported
> function (or you use a builtin such as declare or type that must print
> the code, things like type -t are safe to use).

Even with this?

type='() { echo hi there; }' bash

(Or the added stuff from Florian's patch).

I got myself into a right old mess by redefining declare, typeset, unset
and command.

> It can be applied standalone (and remain compatible with older bash
> versions), or it could be combined with some of the other patches.
> It also makes bash more efficient by not parsing unused functions :)
> Although it passes the testsuite, it has only been lightly tested, don't
> install in your nuclear plant yet. 😉

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.