Date: Sun, 28 Sep 2014 06:35:41 -0600 From: Eric Blake <eblake@...hat.com> To: Hanno Böck <hanno@...eck.de>, Chet Ramey <chet.ramey@...e.edu> CC: Tavis Ormandy <taviso@...xchg8b.com>, Florian Weimer <fw@...eb.enyo.de>, Michal Zalewski <lcamtuf@...edump.cx>, Solar Designer <solar@...nwall.com>, oss-security@...ts.openwall.com Subject: Re: CVE-2014-6271: remote code execution through bash On 09/27/2014 11:22 PM, Hanno Böck wrote: > On Sat, 27 Sep 2014 21:39:19 -0400 > Chet Ramey <chet.ramey@...e.edu> wrote: > >> OK, here are the more-or-less final versions of the patches for >> bash-2.05b through bash-4.3. I made two changes from earlier today: >> the function export suffix is now `%%', which is not part of a the >> set of valid variable name characters but avoids any potential >> problems with including shell metacharacters in the name; and this >> version refuses to import shell functions whose name contains a >> slash, for reasons I discussed earlier. > > From what I can see your official patches still don't contain the > out-of-bound memory fixes. Correct, because those patches aren't official yet. But at the same time, the out-of-bounds bugs can no longer be used as a remote exploit vehicle, because the official patch 4.3.27 (and friends) guarantee that arbitrary values no longer call into the parser. > > While not exposing the parser to random variables should shield that > somewhat and reduce impact, they still should be fixed and the redhat > patch looks pretty straightforward. I'm sure Chet has plans to post more official patches in the coming week. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ