Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CADBjfCHo1EJPwd51g6V5aHAHdQ3M9Z7j0VxUwZPaZSb=S-EWnw@mail.gmail.com>
Date: Sat, 4 Oct 2014 20:34:21 +0100
From: Riot <rain.backnet@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Shellshock timeline (was: CVE-2014-6271: remote
 code execution through bash)

Absolutely.

Bash versions back to 1.13 are all available on ftp.gnu, so not going to
list explicit links for those.

Bash 1.12 came from an this old slackware mirror:
http://mirrors.dotsrc.org/slackware/slackware-2.0.1/slacksrc/a/bash/bash-1.12.tar.gz

Other old slackware and debian releases from the era:
http://www.nielshorn.net/slackware/slack_old.php and
http://archive.debian.org/debian/dists/Debian-1.1/main/disks-i386/1996_6_16/

The atari bash 1.08 binary we used came from
http://www.umich.edu/~archive/atari/Gnustuff/Tos/Bash/Bash-108/  and was
tested in the steem engine emulator: https://code.google.com/p/steem-engine/

The Human68k bash came from
http://nfggames.com/x68000/Mirrors/Groundzero%20Organization/x68tools/gnu/bash/1.05/
and was tested using the XM6 Pro emulator:
http://mijet.eludevisibility.org/XM6%20Pro-68k/XM6%20Pro-68k.html with this
disk image to boot:
http://www.retropc.net/x68000/software/sharp/human302/index.htm


Regards,
Riot

On 4 October 2014 14:22, Hanno Böck <hanno@...eck.de> wrote:

> Am Sat, 4 Oct 2014 00:19:06 +0100
> schrieb Riot <rain.backnet@...il.com>:
>
> > We then worked further back in time, unearthing bash 1.08.2 on an
> > ancient 1991 Atari ST image:
> > http://images.rymate.co.uk/images/iwaSGPo.png  This was also
> > vulnerable.  This version is relevant because the first version of
> > bash ported to linux was bash 1.08 - here's the original post by
> > Linus at the tender age of  advertising his first build of linux on
> > the minix newsgroup in 1991, explicitly mentioning bash 1.08.  This
> > datum told us that shellshock is older than all of linux, which makes
> > for a nice soundbite for the press.
> >
> > Going back further proved very difficult because few archives
> > including these early versions exist anywhere, and by all accounts
> > the early releases were buggy and not particularly portable.  We
> > eventually managed to locate an image for an obscure Japanese
> > Human68k containing bash 1.05.  Here it identifies itself as bash
> > 1.05 X6_19: http://images.rymate.co.uk/images/kH8VnTo.png  The file
> > is dated 12/08/1991... and of course it's vulnerable:
> > http://images.rymate.co.uk/images/zTYm05I.png
>
>
> Can you post the relevant download links to the atari st / 68k images
> and other possibly interesting stuff? Or where they from private
> archives?
>
> I think independently of current events this might be interesting for
> people digging in IT history, so having them somewhere easy to find
> would be nice.
>
> --
> Hanno Böck
> http://hboeck.de/
>
> mail/jabber: hanno@...eck.de
> GPG: BBB51E42
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.