Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALx_OUCaGM+OF_SjQR0Eoqpv+KSf_eB524P1HCqJG8Jz6faExg@mail.gmail.com>
Date: Sat, 27 Sep 2014 12:39:57 -0700
From: Michal Zalewski <lcamtuf@...edump.cx>
To: Chester Ramey <chet.ramey@...e.edu>
Cc: Tavis Ormandy <taviso@...xchg8b.com>, Florian Weimer <fw@...eb.enyo.de>, 
	Solar Designer <solar@...nwall.com>, oss-security@...ts.openwall.com
Subject: Re: CVE-2014-6271: remote code execution through bash

> STD::what::does::this::do

We ran into this problem with the original patch at Google, but TBH,
we've just bitten the bullet.

I'm not sure how hard we should try to accommodate outliers like this
specifically for functions - as far as I can tell, you can't really
get away with meaningfully using colons in variable names, right? But
if you just want to minimize breakage without getting into existential
discussions, wouldn't wihtelisting : and perhaps periods and - going
out on a limb - brackets be good enough?

/mz

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.