oss-sec mailing list archives

Re: Healing the bash fork

From: Jason Cooper <osssecurity () lakedaemon net>
Date: Wed, 1 Oct 2014 12:08:15 -0400

On Wed, Oct 01, 2014 at 08:55:35AM -0700, Greg KH wrote:

On Wed, Oct 01, 2014 at 07:15:56AM -0400, Jason Cooper wrote:

On Wed, Oct 01, 2014 at 01:08:09PM +0200, Hanno Böck wrote:

Am Tue, 30 Sep 2014 19:19:55 -0400 (EDT)
schrieb "David A. Wheeler" <dwheeler () dwheeler com>:

Finally: *PLEASE* let me know if you have any good ideas on how to
find vulnerabilities like this ahead-of-time. My article "How to
Prevent the Next
Hearbleed" (http://www.dwheeler.com/essays/heartbleed.html) lists a
number of ways that Heartbleed-like vulnerabilities could have been
detected ahead-of-time, in ways that are general enough to be
useful.  I'd like to do the same with Shellshock, so we can quickly
eliminate a whole class of problems.


The "class of problems" here is imho that we have a bunch of tools that
get rare attention from anyone, are run by few volunteers, but they're
an essential part in running the Internet.

Just think about busybox, curl, wget, coreutils, gettext, gzip, ... - a
vuln in any of these could have severe consequences.

Maybe the topic here should be: "How can we get the (whitehat) IT
seucrity community to have a deeper look at neglected but important
opensource projects."


The LF has the Core Infrastructure Initiative:

  http://www.linuxfoundation.org/programs/core-infrastructure-initiative/faq


Yes, that's exactly what that group is doing, and they have a huge list
of these types of projects that they are looking into funding to help
prevent this type of thing from happening again.  I'll go add bash to
the list there as I don't think it is currently on it at the moment.


Could we also update the FAQ to include "How to recommend a project?"?
A few days ago I tried to recommend bash.  I dug around, and finally
just sent an email to Ted.  Which I don't think is the correct answer
;-)

thx,

Jason.

Current thread:

Re: Healing the bash fork Michal Zalewski (Sep 30)
- Re: Healing the bash fork Zach Wikholm (Sep 30)
  - Re: Healing the bash fork Peter Bex (Sep 30)
- <Possible follow-ups>
- Re: Healing the bash fork Michal Zalewski (Sep 30)
  - Re: Healing the bash fork Stuart D. Gathman (Oct 01)
- Re: Healing the bash fork Hanno Böck (Oct 01)
  - Re: Healing the bash fork Jason Cooper (Oct 01)
    - Re: Healing the bash fork Greg KH (Oct 01)
    - Re: Healing the bash fork Jason Cooper (Oct 01)
    - Re: Healing the bash fork Greg KH (Oct 01)
    - Re: Healing the bash fork Loganaden Velvindron (Oct 01)
    - Re: Healing the bash fork Colin Mahns (Oct 01)
- Re: Healing the bash fork Tomas Hoger (Oct 01)
  - Re: Healing the bash fork Florian Weimer (Oct 01)
    - Re: Healing the bash fork David A. Wheeler (Oct 02)
- Re: Healing the bash fork Florian Weimer (Oct 06)
  - Re: Healing the bash fork David A. Wheeler (Oct 06)