oss-sec mailing list archives
Re: Fwd: Non-upstream patches for bash
From: Chet Ramey <chet.ramey () case edu>
Date: Mon, 29 Sep 2014 22:08:04 -0400
On 9/29/14, 11:44 AM, cve-assign () mitre org wrote:
the parser is not locale-agnostic. Here's an example how it can be exploited: http://bugs.python.org/issue22187The discussion in Issue22187 is about changing code in Python 2.x to work around this. However, is it useful to assign one new CVE-2014-#### ID for Bash, on the expectation that Bash was intended to recognize valid characters in zh_CN.GBK, but instead is identifying part of a two-byte character as a \ character, and this has security implications for products that attempt to do otherwise-correct quoting of untrusted strings for use in sh commands?
Can someone send me a test case to look at?
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU chet () case edu http://cnswww.cns.cwru.edu/~chet/
Current thread:
- Re: Fwd: Non-upstream patches for bash, (continued)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 27)
- Re: Fwd: Non-upstream patches for bash Roman Drahtmueller (Sep 27)
- Re: Fwd: Non-upstream patches for bash Steve Jones (Sep 27)
- Re: Fwd: Non-upstream patches for bash Michael Samuel (Sep 28)
- Re: Fwd: Non-upstream patches for bash Sven Kieske (Sep 28)
- Re: [langsec-discuss] [oss-security] Fwd: Non-upstream patches for bash Paul Burchard (Sep 29)
- Re: Fwd: Non-upstream patches for bash Bernhard Hermann (Sep 29)
- Re: Fwd: Non-upstream patches for bash Ed Prevost (Sep 29)
- Re: Fwd: Non-upstream patches for bash Jakub Wilk (Sep 29)
- Re: Fwd: Non-upstream patches for bash cve-assign (Sep 29)
- Re: Fwd: Non-upstream patches for bash Chet Ramey (Sep 29)
- Re: [security-vendor] Re: [oss-security] Fwd: Non-upstream patches for bash Mark Hatle (Sep 26)
- Re: Re: Non-upstream patches for bash John Haxby (Sep 26)
- Re: Re: Non-upstream patches for bash Ángel González (Sep 26)