oss-sec mailing list archives
Re: CVE-2014-6271: remote code execution through bash
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Sat, 27 Sep 2014 12:39:57 -0700
STD::what::does::this::do
We ran into this problem with the original patch at Google, but TBH, we've just bitten the bullet. I'm not sure how hard we should try to accommodate outliers like this specifically for functions - as far as I can tell, you can't really get away with meaningfully using colons in variable names, right? But if you just want to minimize breakage without getting into existential discussions, wouldn't wihtelisting : and perhaps periods and - going out on a limb - brackets be good enough? /mz
Current thread:
- Re: CVE-2014-6271: remote code execution through bash, (continued)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Huzaifa Sidhpurwala (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 26)
- Re: CVE-2014-6271: remote code execution through bash David A. Wheeler (Sep 26)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 29)
- Re: CVE-2014-6271: remote code execution through bash Hanno Böck (Sep 27)
- Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 28)
- Healing the bash fork (was: Re: [oss-security] CVE-2014-6271: remote code execution through bash) Florian Weimer (Sep 29)
- Re: Healing the bash fork Eric Blake (Sep 29)