oss-sec mailing list archives

Re: Fwd: Non-upstream patches for bash

From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Thu, 25 Sep 2014 23:37:12 +0530

On 09/25/2014 11:26 PM, Solar Designer wrote:

On Thu, Sep 25, 2014 at 11:19:24PM +0530, Huzaifa Sidhpurwala wrote:

Based on the current situation and the fact that there is confusion
about what patch to use for the bash issue. I wanted to post this here.


Thanks!

From: Florian Weimer <fweimer () redhat com>

[...]

Internal analysis revealed two out-of-bounds array accesses in the bash
parser.  This was also independently and privately reported by Todd
Sabin <tsabin () optonline net>.


Have these been reported upstream?

Nope, but i just cced Chet on it now :)

What's the oldest version of bash affected by them?

Your reproducers didn't trigger any obvious misbehavior here with 3.1.8
with lots of unrelated patches.  Of course, this does not mean much, but
maybe these issues are in fact 3.2+?

Yes 3.2+, i have not checked older versions though.

Alexander



--
Huzaifa Sidhpurwala / Red Hat Product Security Team

Current thread:

Fwd: Non-upstream patches for bash Huzaifa Sidhpurwala (Sep 25)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 25)
  - Re: Fwd: Non-upstream patches for bash Huzaifa Sidhpurwala (Sep 25)
    - Re: Fwd: Non-upstream patches for bash Michal Zalewski (Sep 25)
    - Re: Fwd: Non-upstream patches for bash Chet Ramey (Sep 25)
    - Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 26)
    - Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 26)
    - Re: Fwd: Non-upstream patches for bash Michal Zalewski (Sep 26)
    - Re: Fwd: Non-upstream patches for bash Roman Drahtmueller (Sep 27)
    - Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 27)
    - Re: Fwd: Non-upstream patches for bash Roman Drahtmueller (Sep 27)
    - Re: Fwd: Non-upstream patches for bash Steve Jones (Sep 27)
    - Re: Fwd: Non-upstream patches for bash Michael Samuel (Sep 28)

(Thread continues...)