Re: CVE-2014-6271: remote code execution through bash

[Solar Designer <solar () openwall com>]

Florian,

On Wed, Sep 24, 2014 at 09:21:40PM +0200, Florian Weimer wrote:
> * Florian Weimer:
>
> > Someone has posted large parts of the prenotification as a news
> > article, so in the interest of full disclosure, here is what we wrote
> > to the non-vendors (vendors also received patches):
>
> Oh dear.  It's now been implied that something leaked before the
> embargo was over, or that more information was disclosed than planned.
>
> This is not the case, on neither count.  I was just annoyed that parts
> of a private message I wrote ended up on a news site without my prior
> consent.  The disclosure as such wasn't a problem, except for a single
> technical inaccuracy that has since been corrected.  It was an honest
> mistake, apologies were made and accepted.  It did not impact the
> disclosure schedule at all (it happened after the disclosure), nor the
> amount of information being disclosed in any material way (the Red Hat
> blog post contained essentially the same information).  Once I saw
> what happened, I decided to publish the full message here.

This brings up the question: why did someone (merely?) running a news
site receive the exact advance notification message (or a portion of
it), and when did they receive it?  I doubt a person merely running a
news site actually received advance notification in this case (I hope
not!), but I think you need to clarify this aspect.

> So to repeat: The embargo was scheduled for 14:00 UTC today, and my
> initial brief posting was not prompted by a desire to withhold
> information.  I just wanted to limit the amount of possibly
> conflicting technical information, and I had other duties to attend
> to.  (In retrospect, I should probably have included the message from
> the prenotification from the start, which would have avoided any
> confusion.)

Yes, I think including the full message in your first notification to
oss-security would have worked best.

> We'll also want to discuss additional hardening measures (see my
> message about BASH_FUNCDEFS), and we previously agreed to do this
> publicly, after disclosure.  Obviously, the technical details are
> necessarily public once we do that.
>
> It's often tricky to decide how much information to include in a
> public vulnerability disclosure.  In this particular case, I think we
> had to publish technical details so that those who cannot patch
> immediately can at least try to mitigate this vulnerability using
> filters on devices in front of web servers, or tools like
> mod_security.  And without the technical details, I doubt this
> vulnerability would have received the attention it deserves until
> someone figures things out.  We could easily have obfuscated the patch
> to delay this, but what's the point?

You're right.

Thank you!

Alexander