oss-sec mailing list archives
Re: Fwd: Non-upstream patches for bash
From: cve-assign () mitre org
Date: Mon, 29 Sep 2014 11:44:31 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
the parser is not locale-agnostic. Here's an example how it can be exploited: http://bugs.python.org/issue22187
The discussion in Issue22187 is about changing code in Python 2.x to work around this. However, is it useful to assign one new CVE-2014-#### ID for Bash, on the expectation that Bash was intended to recognize valid characters in zh_CN.GBK, but instead is identifying part of a two-byte character as a \ character, and this has security implications for products that attempt to do otherwise-correct quoting of untrusted strings for use in sh commands? - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUKX02AAoJEKllVAevmvms7lgH/2dhMdR3o/zLU2015e3AZOrh K2QOtr+BqH2vOsE/x98LZMtBYra+E3JysBJkqSxZcsSnr0FqBzGu08aB8ETMgrx5 DtaIeCTP7GM3T0zGCuX8dabCnAoQct0VuDSGOYCRCgf7lF1MUxC7RDT/8DbB/woO 4V1IbBBAfYVQicgvEmnkZUkhbhziC/9s1HeEFBwNldTDknV5HTVrHdlv0Y4y0/Bd 00LbClq+LPdqJ5/nspegWQ50d6e2ZksUBM4ahag3qxeWcT28om4yJ7Zm0eJ0D5BZ Xy3sc5j5ks/WDkna12JH+cFqd1snVuLE8POSHh0aOWf53Tla/zFCj9E3gwwUlVw= =j7/e -----END PGP SIGNATURE-----
Current thread:
- Re: Fwd: Non-upstream patches for bash, (continued)
- Re: Fwd: Non-upstream patches for bash Roman Drahtmueller (Sep 27)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 27)
- Re: Fwd: Non-upstream patches for bash Roman Drahtmueller (Sep 27)
- Re: Fwd: Non-upstream patches for bash Steve Jones (Sep 27)
- Re: Fwd: Non-upstream patches for bash Michael Samuel (Sep 28)
- Re: Fwd: Non-upstream patches for bash Sven Kieske (Sep 28)
- Re: [langsec-discuss] [oss-security] Fwd: Non-upstream patches for bash Paul Burchard (Sep 29)
- Re: Fwd: Non-upstream patches for bash Bernhard Hermann (Sep 29)
- Re: Fwd: Non-upstream patches for bash Ed Prevost (Sep 29)
- Re: Fwd: Non-upstream patches for bash Jakub Wilk (Sep 29)
- Re: Fwd: Non-upstream patches for bash cve-assign (Sep 29)
- Re: Fwd: Non-upstream patches for bash Chet Ramey (Sep 29)
- Re: [security-vendor] Re: [oss-security] Fwd: Non-upstream patches for bash Mark Hatle (Sep 26)
- Re: Re: Non-upstream patches for bash John Haxby (Sep 26)
- Re: Re: Non-upstream patches for bash Ángel González (Sep 26)