oss-sec mailing list archives
Re: CVE-2014-6271: remote code execution through bash
From: Chet Ramey <chet.ramey () case edu>
Date: Wed, 24 Sep 2014 16:00:49 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/24/14, 3:12 PM, mancha wrote:
Hello Chet et al. While taking a closer look at this issue on Bash 4.2, I noticed a potential NULL deref. i.e. $ FOO='() { :;}; blah4242' bash -c "echo bleh" This occurs in bgp_prune() where, because bgpids.npid=0 and js_c_childmax=-1, the code in the loop executes but bgpids.list=NULL.
Thanks for the report. This is a problem, but the patch closes off that code path. Chet - -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRU chet () case edu http://cnswww.cns.cwru.edu/~chet/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) iEYEARECAAYFAlQjIvAACgkQu1hp8GTqdKulqgCeKgb8enVUZMM9qQgmCAEgjpg0 C2QAnRGtrZb9Uh9kMTAiDvtI9E6U5BSp =Fxrx -----END PGP SIGNATURE-----
Current thread:
- Re: CVE-2014-6271: remote code execution through bash, (continued)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Henri Salo (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Alexander E. Patrakov (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash gremlin (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Tim (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Rich Felker (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash mancha (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Alan J. Wylie (Sep 26)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Hanno Böck (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)