Date: Tue, 30 Sep 2014 15:10:23 +0200 From: Sebastian Krahmer <krahmer@...e.de> To: oss-security@...ts.openwall.com Subject: Re: Healing the bash fork On Tue, Sep 30, 2014 at 01:50:40PM +0100, Mark R Bannister wrote: > > I discuss the setuid/setgid vulnerability at the following site,> including demonstrating how Florian's prefix/suffix patch provides > > no protection:> > > http://technicalprose.blogspot.co.uk/2014/09/shellshock-bug-third-vulnerability.html > > Please can we have a separate CVE for the setuid/setgid bash exploit? I think this attack vector deserves to be tracked properly, and we need to be clear on when and if someone chooses to provide a fix for it. > "innocuous looking setuid program" made my day ;) We should take care not to blame all and everything to bash. Sebastian -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@...e.de - SuSE Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.