oss-sec mailing list archives

Re: Fwd: Non-upstream patches for bash

From: cve-assign () mitre org
Date: Mon, 29 Sep 2014 11:44:31 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

the parser is not locale-agnostic. Here's an example how it can be
exploited:
http://bugs.python.org/issue22187


The discussion in Issue22187 is about changing code in Python 2.x to
work around this. However, is it useful to assign one new
CVE-2014-#### ID for Bash, on the expectation that Bash was intended
to recognize valid characters in zh_CN.GBK, but instead is identifying
part of a two-byte character as a \ character, and this has security
implications for products that attempt to do otherwise-correct quoting
of untrusted strings for use in sh commands?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUKX02AAoJEKllVAevmvms7lgH/2dhMdR3o/zLU2015e3AZOrh
K2QOtr+BqH2vOsE/x98LZMtBYra+E3JysBJkqSxZcsSnr0FqBzGu08aB8ETMgrx5
DtaIeCTP7GM3T0zGCuX8dabCnAoQct0VuDSGOYCRCgf7lF1MUxC7RDT/8DbB/woO
4V1IbBBAfYVQicgvEmnkZUkhbhziC/9s1HeEFBwNldTDknV5HTVrHdlv0Y4y0/Bd
00LbClq+LPdqJ5/nspegWQ50d6e2ZksUBM4ahag3qxeWcT28om4yJ7Zm0eJ0D5BZ
Xy3sc5j5ks/WDkna12JH+cFqd1snVuLE8POSHh0aOWf53Tla/zFCj9E3gwwUlVw=
=j7/e
-----END PGP SIGNATURE-----

Current thread:

Re: Fwd: Non-upstream patches for bash, (continued)
- - - Re: Fwd: Non-upstream patches for bash Roman Drahtmueller (Sep 27)
    - Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 27)
    - Re: Fwd: Non-upstream patches for bash Roman Drahtmueller (Sep 27)
    - Re: Fwd: Non-upstream patches for bash Steve Jones (Sep 27)
    - Re: Fwd: Non-upstream patches for bash Michael Samuel (Sep 28)
    - Re: Fwd: Non-upstream patches for bash Sven Kieske (Sep 28)
    - Re: [langsec-discuss] [oss-security] Fwd: Non-upstream patches for bash Paul Burchard (Sep 29)
    - Re: Fwd: Non-upstream patches for bash Bernhard Hermann (Sep 29)
    - Re: Fwd: Non-upstream patches for bash Ed Prevost (Sep 29)
    - Re: Fwd: Non-upstream patches for bash Jakub Wilk (Sep 29)
    - Re: Fwd: Non-upstream patches for bash cve-assign (Sep 29)
    - Re: Fwd: Non-upstream patches for bash Chet Ramey (Sep 29)
- Re: Fwd: Non-upstream patches for bash Marc Deslauriers (Sep 25)
- Re: Fwd: Non-upstream patches for bash Marc Deslauriers (Sep 25)
  - Re: [security-vendor] Re: [oss-security] Fwd: Non-upstream patches for bash Mark Hatle (Sep 26)
- Re: Fwd: Non-upstream patches for bash cve-assign (Sep 25)
- Re: Fwd: Non-upstream patches for bash Hanno Böck (Sep 26)
- Re: Non-upstream patches for bash Ángel González (Sep 26)
  - Re: Re: Non-upstream patches for bash John Haxby (Sep 26)
    - Re: Re: Non-upstream patches for bash Ángel González (Sep 26)
- Array importing in bash 4.3 (was: Re: [oss-security] Fwd: Non-upstream patches for bash) Florian Weimer (Sep 29)

(Thread continues...)