oss-sec mailing list archives

Re: CVE-2014-6271: remote code execution through bash

From: Solar Designer <solar () openwall com>
Date: Thu, 25 Sep 2014 20:15:46 +0400

On Thu, Sep 25, 2014 at 11:37:45AM -0400, Chet Ramey wrote:

On 9/24/14, 10:47 PM, Solar Designer wrote:

While we're at it, I think it's preferable not to output error messages
triggerable by untrusted input, e.g.:

[...]

I disagree.  It's important for a program -- not just the shell -- to tell
the user when it attempts to do something on his behalf and is unable to
do it.


There's obviously a trade-off here.  I agree that keeping the error
messages is the right thing if we can keep them contained to local usage
(and local attack) scenarios under typical setups.  I think applying
Florian's prefix-suffix patch will achieve that (besides its main goal
of actually mitigating most attacks).

What do you think of distros' going with Florian's prefix-suffix patch
right now?  I think it breaks function imports/exports between
pre-patch and post-patch bash versions, but keeps them intact for
patched versions.  Right?  If so, this sounds acceptable for immediate
use by distros.  Do you agree?

Alexander

Current thread:

Re: Healing the bash fork, (continued)
- - - Re: Healing the bash fork Florian Weimer (Sep 30)
    - Re: Healing the bash fork Gennady Kupava (Sep 30)
    - Re: Healing the bash fork gremlin (Sep 30)
    - Re: Healing the bash fork Kobrin, Eric (Sep 29)
    - Re: Healing the bash fork Michal Zalewski (Sep 29)
    - Re: Healing the bash fork Kobrin, Eric (Sep 30)
    - Re: Re: Healing the bash fork Todd C. Miller (Sep 29)
    - atd (was: Re: [oss-security] Re: Healing the bash fork) Seth Arnold (Sep 29)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Christos Zoulas (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Tavis Ormandy (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Hanno Böck (Sep 24)
  - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)

(Thread continues...)