oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2014-6271: remote code execution through bash

From: Hanno Böck <hanno () hboeck de>
Date: Sun, 28 Sep 2014 07:22:14 +0200
On Sat, 27 Sep 2014 21:39:19 -0400
Chet Ramey <chet.ramey () case edu> wrote:


OK, here are the more-or-less final versions of the patches for
bash-2.05b through bash-4.3.  I made two changes from earlier today:
the function export suffix is now `%%', which is not part of a the
set of valid variable name characters but avoids any potential
problems with including shell metacharacters in the name; and this
version refuses to import shell functions whose name contains a
slash, for reasons I discussed earlier.


From what I can see your official patches still don't contain the
out-of-bound memory fixes.

While not exposing the parser to random variables should shield that
somewhat and reduce impact, they still should be fixed and the redhat
patch looks pretty straightforward.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: signature.asc
Description:

Previous By Date Next
Previous By Thread Next

Current thread: