oss-sec mailing list archives

Re: Healing the bash fork

From: John Haxby <john.haxby () oracle com>
Date: Mon, 29 Sep 2014 20:39:07 +0100


On 29 Sep 2014, at 19:50, David A. Wheeler <dwheeler () dwheeler com> wrote:

That said, a lot of people are looking to find other attack paths.  Shellshock has pointed out
a kind of attack path that most people hadn't examined before.
I'd still like to see Christos Zoulas's approach included eventually, since that's an even stronger
countermeasure.  After all, if function imports only happen on request, then
non-requesters will have no problem. But I also understand that Zoulas's approach
is backwards-incompatible, and thus the bash folks are hesitant to apply it.
If that can't be added now, perhaps it could be added in a next release of bash?


Normally I’d be all for maintaining backwards compatibility: we spend a lot of time fixing bugs in a way that doesn’t 
break anything.  On this occasion, though, I think Christos Zoulos’s approach is both correct and needed.

jch

Current thread:

Re: CVE-2014-6271: remote code execution through bash, (continued)
- - - Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 29)
    - Re: CVE-2014-6271: remote code execution through bash Hanno Böck (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 28)
    - Healing the bash fork (was: Re: [oss-security] CVE-2014-6271: remote code execution through bash) Florian Weimer (Sep 29)
    - Re: Healing the bash fork Eric Blake (Sep 29)
    - Re: Healing the bash fork Kobrin, Eric (Sep 29)
    - Re: Healing the bash fork Tavis Ormandy (Sep 29)
    - Re: Healing the bash fork David A. Wheeler (Sep 29)
    - Re: Healing the bash fork John Haxby (Sep 29)
    - Re: Healing the bash fork Kobrin, Eric (Sep 29)
    - Re: Healing the bash fork Chet Ramey (Sep 29)
    - Re: Healing the bash fork gremlin (Sep 29)
    - Re: Healing the bash fork Florian Weimer (Sep 30)
    - Re: Healing the bash fork Gennady Kupava (Sep 30)
    - Re: Healing the bash fork gremlin (Sep 30)
    - Re: Healing the bash fork Kobrin, Eric (Sep 29)
    - Re: Healing the bash fork Michal Zalewski (Sep 29)
    - Re: Healing the bash fork Kobrin, Eric (Sep 30)
    - Re: Re: Healing the bash fork Todd C. Miller (Sep 29)

(Thread continues...)