Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 4 Oct 2014 00:21:36 +0100
From: Riot <rain.backnet@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Shellshock timeline (was: CVE-2014-6271: remote
 code execution through bash)

Correction: *Here's the original post by Linus at the tender age of 21
advertising his first build of linux on the minix newsgroup in 1991:
http://i.imgur.com/1AEKJ7s.png

On 4 October 2014 00:19, Riot <rain.backnet@...il.com> wrote:

> I and a couple of people on IRC (special thanks to rymate1234) carried out
> some code archeology of this earlier as events first unfolded.  Although
> commonly cited in the press as going back to bash 1.13, we confirmed the
> bug exists all the way back to bash 1.05.
>
> We had to do some fairly obscure digging for this, because the old bash
> versions are very difficult to compile on modern setups.  Rather than just
> statically analyse the source, we wanted to actually test various builds.
> We started by building 1996 version of slackware, and got 1.12 and 1.13
> building, confirming the bug existed in 1.12 and earlier.  We also found a
> few binary images containing built versions of 1.12 and confirmed the bug
> existed in those: http://images.rymate.co.uk/images/ihewGLM.png
>
> We then worked further back in time, unearthing bash 1.08.2 on an ancient
> 1991 Atari ST image: http://images.rymate.co.uk/images/iwaSGPo.png  This
> was also vulnerable.  This version is relevant because the first version of
> bash ported to linux was bash 1.08 - here's the original post by Linus at
> the tender age of  advertising his first build of linux on the minix
> newsgroup in 1991, explicitly mentioning bash 1.08.  This datum told us
> that shellshock is older than all of linux, which makes for a nice
> soundbite for the press.
>
> Going back further proved very difficult because few archives including
> these early versions exist anywhere, and by all accounts the early releases
> were buggy and not particularly portable.  We eventually managed to locate
> an image for an obscure Japanese Human68k containing bash 1.05.  Here it
> identifies itself as bash 1.05 X6_19:
> http://images.rymate.co.uk/images/kH8VnTo.png  The file is dated
> 12/08/1991... and of course it's vulnerable:
> http://images.rymate.co.uk/images/zTYm05I.png
>
> That was the earliest release, either source or binary, we were able to
> get hold of.  We were also unable to find any documentation or even casual
> mention of any version between 0.99 and 1.05, and one of few mentions of
> bash 0.99 is the 1989 release announcement by Brian Fox, the original
> developer, at the gnu.announce newsgroup:
> https://groups.google.com/forum/#!topic/gnu.announce/hvhlR1Vn1P0  This
> was announced as a beta, and we've been unable to find any mention of any
> earlier version.  The path to look for is /u2/emacs/bash-0.99.tar.Z but
> we've been unable to locate this in any archives, and at this point
> consider it lost - please do keep an eye out for this file!
>
> If anyone has a way of contacting Brian Fox, he might just have an old
> archive of ancient versions of bash banging around which could put the
> question to rest once and for all - at which point exactly was shellshock
> introduced.  But so far, all indications lead to the implication that the
> bug has been in bash since its very inception in the late 80s, and before
> it was ever released to the public.
>
> Regards,
> Riot
>
> P.S. If any of you publish any of this information, please let me know :)
>
> On 3 October 2014 23:17, Kobrin, Eric <ekobrin@...mai.com> wrote:
>
>> On Oct 3, 2014, at 5:30 PM, Stephane Chazelas <
>> stephane.chazelas@...il.com> wrote:
>>
>> > Sorry, I said in the other email that it was not in 1.12. That's
>> > my memory failing. I remember checking that it was not in 1.05
>> > and it was, which is even more than my memory failing. Chet did
>> > tell me that it was added in 1.13 though. I've now found 1.12
>> > (
>> ftp://ftp.it.xemacs.org/%7BD/unix/packages/NCSA/DEC_Alpha/bash-1.12.tar.Z
>> )
>>
>> No worries.
>>
>> The version I used was at:
>> http://www.oldlinux.org/Linux.old/bin/old/bash-1.05/variables.c
>> Full tar: http://www.oldlinux.org/Linux.old/bin/old/bash-1.05.tar
>>
>> Brian Fox even wrote a UseNet post advertising the feature on September
>> 8th, 1989 -- just over 25 years before you showed the rest of us that it
>> was a vulnerability in disguise:
>>
>> https://groups.google.com/d/msg/gnu.bash.bug/72jXoIWYsfE/jJqC-fjSh0wJ
>>
>> If anyone has a copy of bash-1.02 or bash-1.03, I'd love to see it. It
>> should be floating around some of the old NeXT archives.
>>
>> -- Eric Kobrin
>>
>>
>>
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.