oss-sec mailing list archives
Re: Shellshock timeline
From: Eric Blake <eblake () redhat com>
Date: Fri, 03 Oct 2014 16:17:38 -0600
On 10/03/2014 04:10 PM, Eric Blake wrote:
On 10/03/2014 01:28 PM, David A. Wheeler wrote:FYI, I've created a timeline of major Shellshock events here: http://www.dwheeler.com/essays/shellshock.html#timeline If anyone has corrections or key additions, let me know.
In section 1.2, you mention that Florian suggested suffix additions; but he was not alone in the suggestion; I also independently came up with the idea (primarily because patch 25 included a change to a comment line that mentioned the past attempt to use a suffix): https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00094.html 24 Sep 2014 15:38:31 -0600 My arguments at the time were based more on namespace pollution considerations (what happens when a function name and variable name collide), and it wasn't until later that I learned that the oss-security list was discussing ramifications of the fact that ANY parser bug is a major hole if untrusted user data is unconditionally presented to the parser, without regards to namespace pollution. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash), (continued)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Hanno Böck (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Steve Jones (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Lance Davis (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) David A. Wheeler (Oct 05)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Eric Blake (Oct 06)
- Re: Shellshock timeline Stephane Chazelas (Oct 03)
- Stéphane Chazelas: How *DID* you find Shellshock? David A. Wheeler (Oct 08)
- Re: Stéphane Chazelas: How *DID* you find Shellshock? stephane.chazelas (Oct 08)
- Re: Shellshock timeline Eric Blake (Oct 03)