[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Sep 2014 15:10:23 +0200
From: Sebastian Krahmer <krahmer@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: Healing the bash fork
On Tue, Sep 30, 2014 at 01:50:40PM +0100, Mark R Bannister wrote:
> > I discuss the setuid/setgid vulnerability at the following site,> including demonstrating how Florian's prefix/suffix patch provides
> > no protection:>
> > http://technicalprose.blogspot.co.uk/2014/09/shellshock-bug-third-vulnerability.html
>
> Please can we have a separate CVE for the setuid/setgid bash exploit? I think this attack vector deserves to be tracked properly, and we need to be clear on when and if someone chooses to provide a fix for it.
>
"innocuous looking setuid program" made my day ;)
We should take care not to blame all and everything to bash.
Sebastian
--
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@...e.de - SuSE Security Team
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
