oss-sec mailing list archives
Re: CVE-2014-6271: remote code execution through bash
From: Solar Designer <solar () openwall com>
Date: Thu, 25 Sep 2014 20:15:46 +0400
On Thu, Sep 25, 2014 at 11:37:45AM -0400, Chet Ramey wrote:
On 9/24/14, 10:47 PM, Solar Designer wrote:While we're at it, I think it's preferable not to output error messages triggerable by untrusted input, e.g.:
[...]
I disagree. It's important for a program -- not just the shell -- to tell the user when it attempts to do something on his behalf and is unable to do it.
There's obviously a trade-off here. I agree that keeping the error messages is the right thing if we can keep them contained to local usage (and local attack) scenarios under typical setups. I think applying Florian's prefix-suffix patch will achieve that (besides its main goal of actually mitigating most attacks). What do you think of distros' going with Florian's prefix-suffix patch right now? I think it breaks function imports/exports between pre-patch and post-patch bash versions, but keeps them intact for patched versions. Right? If so, this sounds acceptable for immediate use by distros. Do you agree? Alexander
Current thread:
- Re: Healing the bash fork, (continued)
- Re: Healing the bash fork Florian Weimer (Sep 30)
- Re: Healing the bash fork Gennady Kupava (Sep 30)
- Re: Healing the bash fork gremlin (Sep 30)
- Re: Healing the bash fork Kobrin, Eric (Sep 29)
- Re: Healing the bash fork Michal Zalewski (Sep 29)
- Re: Healing the bash fork Kobrin, Eric (Sep 30)
- Re: Re: Healing the bash fork Todd C. Miller (Sep 29)
- atd (was: Re: [oss-security] Re: Healing the bash fork) Seth Arnold (Sep 29)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Christos Zoulas (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Tavis Ormandy (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)