Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140930131023.GA27220@suse.de>
Date: Tue, 30 Sep 2014 15:10:23 +0200
From: Sebastian Krahmer <krahmer@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: Healing the bash fork

On Tue, Sep 30, 2014 at 01:50:40PM +0100, Mark R Bannister wrote:
> > I discuss the setuid/setgid vulnerability at the following site,> including demonstrating how Florian's prefix/suffix patch provides
> > no protection:>
> > http://technicalprose.blogspot.co.uk/2014/09/shellshock-bug-third-vulnerability.html
> 
> Please can we have a separate CVE for the setuid/setgid bash exploit?  I think this attack vector deserves to be tracked properly, and we need to be clear on when and if someone chooses to provide a fix for it.
> 

"innocuous looking setuid program" made my day ;)

We should take care not to blame all and everything to bash.

Sebastian

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@...e.de - SuSE Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.