oss-sec mailing list archives
Re: Fwd: Non-upstream patches for bash
From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Thu, 25 Sep 2014 23:37:12 +0530
On 09/25/2014 11:26 PM, Solar Designer wrote:
On Thu, Sep 25, 2014 at 11:19:24PM +0530, Huzaifa Sidhpurwala wrote:Based on the current situation and the fact that there is confusion about what patch to use for the bash issue. I wanted to post this here.Thanks!From: Florian Weimer <fweimer () redhat com>[...]Internal analysis revealed two out-of-bounds array accesses in the bash parser. This was also independently and privately reported by Todd Sabin <tsabin () optonline net>.Have these been reported upstream?
Nope, but i just cced Chet on it now :)
What's the oldest version of bash affected by them? Your reproducers didn't trigger any obvious misbehavior here with 3.1.8 with lots of unrelated patches. Of course, this does not mean much, but maybe these issues are in fact 3.2+?
Yes 3.2+, i have not checked older versions though.
Alexander
-- Huzaifa Sidhpurwala / Red Hat Product Security Team
Current thread:
- Fwd: Non-upstream patches for bash Huzaifa Sidhpurwala (Sep 25)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 25)
- Re: Fwd: Non-upstream patches for bash Huzaifa Sidhpurwala (Sep 25)
- Re: Fwd: Non-upstream patches for bash Michal Zalewski (Sep 25)
- Re: Fwd: Non-upstream patches for bash Chet Ramey (Sep 25)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 26)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 26)
- Re: Fwd: Non-upstream patches for bash Michal Zalewski (Sep 26)
- Re: Fwd: Non-upstream patches for bash Roman Drahtmueller (Sep 27)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 27)
- Re: Fwd: Non-upstream patches for bash Roman Drahtmueller (Sep 27)
- Re: Fwd: Non-upstream patches for bash Steve Jones (Sep 27)
- Re: Fwd: Non-upstream patches for bash Michael Samuel (Sep 28)
- Re: Fwd: Non-upstream patches for bash Huzaifa Sidhpurwala (Sep 25)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 25)