oss-sec mailing list archives
Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash)
From: "Kobrin, Eric" <ekobrin () akamai com>
Date: Fri, 3 Oct 2014 17:17:20 -0500
On Oct 3, 2014, at 5:30 PM, Stephane Chazelas <stephane.chazelas () gmail com> wrote:
Sorry, I said in the other email that it was not in 1.12. That's my memory failing. I remember checking that it was not in 1.05 and it was, which is even more than my memory failing. Chet did tell me that it was added in 1.13 though. I've now found 1.12 (ftp://ftp.it.xemacs.org/%7BD/unix/packages/NCSA/DEC_Alpha/bash-1.12.tar.Z)
No worries. The version I used was at: http://www.oldlinux.org/Linux.old/bin/old/bash-1.05/variables.c Full tar: http://www.oldlinux.org/Linux.old/bin/old/bash-1.05.tar Brian Fox even wrote a UseNet post advertising the feature on September 8th, 1989 -- just over 25 years before you showed the rest of us that it was a vulnerability in disguise: https://groups.google.com/d/msg/gnu.bash.bug/72jXoIWYsfE/jJqC-fjSh0wJ If anyone has a copy of bash-1.02 or bash-1.03, I'd love to see it. It should be floating around some of the old NeXT archives. -- Eric Kobrin
Current thread:
- Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) David A. Wheeler (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Kobrin, Eric (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Stephane Chazelas (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Kobrin, Eric (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Riot (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Riot (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Stephane Chazelas (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Hanno Böck (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Steve Jones (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Lance Davis (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) David A. Wheeler (Oct 05)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Eric Blake (Oct 06)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Stephane Chazelas (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Kobrin, Eric (Oct 03)
- Re: Shellshock timeline Stephane Chazelas (Oct 03)