oss-sec mailing list archives
Re: CVE-2014-6271: remote code execution through bash
From: Solar Designer <solar () openwall com>
Date: Thu, 25 Sep 2014 02:11:17 +0400
Florian, On Wed, Sep 24, 2014 at 09:21:40PM +0200, Florian Weimer wrote:
* Florian Weimer:Someone has posted large parts of the prenotification as a news article, so in the interest of full disclosure, here is what we wrote to the non-vendors (vendors also received patches):Oh dear. It's now been implied that something leaked before the embargo was over, or that more information was disclosed than planned. This is not the case, on neither count. I was just annoyed that parts of a private message I wrote ended up on a news site without my prior consent. The disclosure as such wasn't a problem, except for a single technical inaccuracy that has since been corrected. It was an honest mistake, apologies were made and accepted. It did not impact the disclosure schedule at all (it happened after the disclosure), nor the amount of information being disclosed in any material way (the Red Hat blog post contained essentially the same information). Once I saw what happened, I decided to publish the full message here.
This brings up the question: why did someone (merely?) running a news site receive the exact advance notification message (or a portion of it), and when did they receive it? I doubt a person merely running a news site actually received advance notification in this case (I hope not!), but I think you need to clarify this aspect.
So to repeat: The embargo was scheduled for 14:00 UTC today, and my initial brief posting was not prompted by a desire to withhold information. I just wanted to limit the amount of possibly conflicting technical information, and I had other duties to attend to. (In retrospect, I should probably have included the message from the prenotification from the start, which would have avoided any confusion.)
Yes, I think including the full message in your first notification to oss-security would have worked best.
We'll also want to discuss additional hardening measures (see my message about BASH_FUNCDEFS), and we previously agreed to do this publicly, after disclosure. Obviously, the technical details are necessarily public once we do that. It's often tricky to decide how much information to include in a public vulnerability disclosure. In this particular case, I think we had to publish technical details so that those who cannot patch immediately can at least try to mitigate this vulnerability using filters on devices in front of web servers, or tools like mod_security. And without the technical details, I doubt this vulnerability would have received the attention it deserves until someone figures things out. We could easily have obfuscated the patch to delay this, but what's the point?
You're right. Thank you! Alexander
Current thread:
- CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Henri Salo (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Alexander E. Patrakov (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash gremlin (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Tim (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Rich Felker (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash mancha (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)