Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 28 Sep 2014 06:35:41 -0600
From: Eric Blake <>
To: Hanno Böck <>,
        Chet Ramey <>
CC: Tavis Ormandy <>, Florian Weimer <>,
        Michal Zalewski <>,
        Solar Designer <>,
Subject: Re: CVE-2014-6271: remote code execution through bash

On 09/27/2014 11:22 PM, Hanno Böck wrote:
> On Sat, 27 Sep 2014 21:39:19 -0400
> Chet Ramey <> wrote:
>> OK, here are the more-or-less final versions of the patches for
>> bash-2.05b through bash-4.3.  I made two changes from earlier today:
>> the function export suffix is now `%%', which is not part of a the
>> set of valid variable name characters but avoids any potential
>> problems with including shell metacharacters in the name; and this
>> version refuses to import shell functions whose name contains a
>> slash, for reasons I discussed earlier.
> From what I can see your official patches still don't contain the
> out-of-bound memory fixes.

Correct, because those patches aren't official yet.  But at the same
time, the out-of-bounds bugs can no longer be used as a remote exploit
vehicle, because the official patch 4.3.27 (and friends) guarantee that
arbitrary values no longer call into the parser.

> While not exposing the parser to random variables should shield that
> somewhat and reduce impact, they still should be fixed and the redhat
> patch looks pretty straightforward.

I'm sure Chet has plans to post more official patches in the coming week.

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library

Download attachment "signature.asc" of type "application/pgp-signature" (540 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.