oss-sec mailing list archives

Re: CVE-2014-6271: remote code execution through bash

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Sat, 27 Sep 2014 12:39:57 -0700

STD::what::does::this::do


We ran into this problem with the original patch at Google, but TBH,
we've just bitten the bullet.

I'm not sure how hard we should try to accommodate outliers like this
specifically for functions - as far as I can tell, you can't really
get away with meaningfully using colons in variable names, right? But
if you just want to minimize breakage without getting into existential
discussions, wouldn't wihtelisting : and perhaps periods and - going
out on a limb - brackets be good enough?

/mz

Current thread:

Re: CVE-2014-6271: remote code execution through bash, (continued)
- - - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Huzaifa Sidhpurwala (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 26)
    - Re: CVE-2014-6271: remote code execution through bash David A. Wheeler (Sep 26)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 29)
    - Re: CVE-2014-6271: remote code execution through bash Hanno Böck (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 28)
    - Healing the bash fork (was: Re: [oss-security] CVE-2014-6271: remote code execution through bash) Florian Weimer (Sep 29)
    - Re: Healing the bash fork Eric Blake (Sep 29)

(Thread continues...)