Date: Fri, 3 Oct 2014 17:17:20 -0500 From: "Kobrin, Eric" <ekobrin@...mai.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) On Oct 3, 2014, at 5:30 PM, Stephane Chazelas <stephane.chazelas@...il.com> wrote: > Sorry, I said in the other email that it was not in 1.12. That's > my memory failing. I remember checking that it was not in 1.05 > and it was, which is even more than my memory failing. Chet did > tell me that it was added in 1.13 though. I've now found 1.12 > (ftp://ftp.it.xemacs.org/%7BD/unix/packages/NCSA/DEC_Alpha/bash-1.12.tar.Z) No worries. The version I used was at: http://www.oldlinux.org/Linux.old/bin/old/bash-1.05/variables.c Full tar: http://www.oldlinux.org/Linux.old/bin/old/bash-1.05.tar Brian Fox even wrote a UseNet post advertising the feature on September 8th, 1989 -- just over 25 years before you showed the rest of us that it was a vulnerability in disguise: https://groups.google.com/d/msg/gnu.bash.bug/72jXoIWYsfE/jJqC-fjSh0wJ If anyone has a copy of bash-1.02 or bash-1.03, I'd love to see it. It should be floating around some of the old NeXT archives. -- Eric Kobrin
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.