oss-sec mailing list archives
Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability)
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Mon, 29 Sep 2014 07:45:22 -0700
Am I the only one who is wondering: Who is paying Chet to do this?
Chet probably had a busy couple of weeks because of a piece of code that went unnoticed for longer than the age of some people posting to this list. As soon as additional problems with the original fix cropped up, he also worked pretty hard to adopt a more robust prefix approach, which shipped upstream about a day ago. While I'd be the first to line up and just get rid of the affected functionality, the worries about compatibility with existing code are pretty valid. Heck, we unexpectedly bumped into issues with that when fixing the bug at Google. We were surprised to notice that some people do use function exports in their code, and then, that some of them use mock object-oriented notation like function foo::bar { ... } - which actually malfunctioned after the first patch. So, I don't think there's a lot of value in making random accusations. /mz
Current thread:
- Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Mark R Bannister (Sep 26)
- <Possible follow-ups>
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Hanno Böck (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Florian Weimer (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) John Haxby (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Bernhard Hermann (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Christos Zoulas (Sep 26)
- Re: Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Bryan Drewery (Sep 26)
- Re: Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Bryan Drewery (Sep 28)
- Re: Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Loganaden Velvindron (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Giles Coochey (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Michal Zalewski (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Michal Zalewski (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Osmond Sun (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Chet Ramey (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Kobrin, Eric (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Chet Ramey (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) John Haxby (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Osmond Sun (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Giles Coochey (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Chet Ramey (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Giles Coochey (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Ed Prevost (Sep 29)