Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 27 Sep 2014 16:09:51 -0400
From: Chet Ramey <chet.ramey@...e.edu>
To: Michal Zalewski <lcamtuf@...edump.cx>
CC: chet.ramey@...e.edu, Tavis Ormandy <taviso@...xchg8b.com>,
        Florian Weimer <fw@...eb.enyo.de>, Solar Designer <solar@...nwall.com>,
        oss-security@...ts.openwall.com
Subject: Re: CVE-2014-6271: remote code execution through bash

On 9/27/14, 3:39 PM, Michal Zalewski wrote:
>> STD::what::does::this::do
> 
> We ran into this problem with the original patch at Google, but TBH,
> we've just bitten the bullet.
> 
> I'm not sure how hard we should try to accommodate outliers like this
> specifically for functions - as far as I can tell, you can't really
> get away with meaningfully using colons in variable names, right? But
> if you just want to minimize breakage without getting into existential
> discussions, wouldn't wihtelisting : and perhaps periods and - going
> out on a limb - brackets be good enough?

We already make function names and variable names different, so there's
no going back -- variable names have the usual restrictions, but with
function names it's essentially anything goes.

Since we would be going from essentially anything goes to a very small
set of acceptable exceptions, I can see a steady stream of "I used to
be able to use character X in my function names and can't now."  Frankly,
the really dangerous one is `/', since it allows you to circumvent scripts
that attempt to use full pathnames to bypass shell function lookups.  I
am more interested in other dangerous characters, the existential debate
between whitelists and blacklists notwithstanding.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@...e.edu    http://cnswww.cns.cwru.edu/~chet/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.