Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 27 Sep 2014 16:09:51 -0400
From: Chet Ramey <>
To: Michal Zalewski <>
CC:, Tavis Ormandy <>,
        Florian Weimer <>, Solar Designer <>,
Subject: Re: CVE-2014-6271: remote code execution through bash

On 9/27/14, 3:39 PM, Michal Zalewski wrote:
>> STD::what::does::this::do
> We ran into this problem with the original patch at Google, but TBH,
> we've just bitten the bullet.
> I'm not sure how hard we should try to accommodate outliers like this
> specifically for functions - as far as I can tell, you can't really
> get away with meaningfully using colons in variable names, right? But
> if you just want to minimize breakage without getting into existential
> discussions, wouldn't wihtelisting : and perhaps periods and - going
> out on a limb - brackets be good enough?

We already make function names and variable names different, so there's
no going back -- variable names have the usual restrictions, but with
function names it's essentially anything goes.

Since we would be going from essentially anything goes to a very small
set of acceptable exceptions, I can see a steady stream of "I used to
be able to use character X in my function names and can't now."  Frankly,
the really dangerous one is `/', since it allows you to circumvent scripts
that attempt to use full pathnames to bypass shell function lookups.  I
am more interested in other dangerous characters, the existential debate
between whitelists and blacklists notwithstanding.

``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.