oss-sec mailing list archives
Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash)
From: Steve Jones <trevd1234 () gmail com>
Date: Sat, 4 Oct 2014 15:15:00 +0100
cd.textfiles.com and archive.org both have a collection of shareware cd images of a stripes from around that era. They're probably worth a look. The GNU bulletins may serve as another useful historical artifact. http://www.gnu.org/bulletins/ Bulletin 7 has the bash beta announce and each issue has a list of ftp download sites. I expect most are dead but you get lucky I suspect the trail runs cold in this case due to the GNUFtp Hack incident of 2003 http://net-security.org/article.php?id=544 On 4 October 2014 14:22, Hanno Böck <hanno () hboeck de> wrote:
Am Sat, 4 Oct 2014 00:19:06 +0100 schrieb Riot <rain.backnet () gmail com>:We then worked further back in time, unearthing bash 1.08.2 on an ancient 1991 Atari ST image: http://images.rymate.co.uk/images/iwaSGPo.png This was also vulnerable. This version is relevant because the first version of bash ported to linux was bash 1.08 - here's the original post by Linus at the tender age of advertising his first build of linux on the minix newsgroup in 1991, explicitly mentioning bash 1.08. This datum told us that shellshock is older than all of linux, which makes for a nice soundbite for the press. Going back further proved very difficult because few archives including these early versions exist anywhere, and by all accounts the early releases were buggy and not particularly portable. We eventually managed to locate an image for an obscure Japanese Human68k containing bash 1.05. Here it identifies itself as bash 1.05 X6_19: http://images.rymate.co.uk/images/kH8VnTo.png The file is dated 12/08/1991... and of course it's vulnerable: http://images.rymate.co.uk/images/zTYm05I.pngCan you post the relevant download links to the atari st / 68k images and other possibly interesting stuff? Or where they from private archives? I think independently of current events this might be interesting for people digging in IT history, so having them somewhere easy to find would be nice. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Current thread:
- Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) David A. Wheeler (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Kobrin, Eric (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Stephane Chazelas (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Kobrin, Eric (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Riot (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Riot (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Stephane Chazelas (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Hanno Böck (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Steve Jones (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Lance Davis (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) David A. Wheeler (Oct 05)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Eric Blake (Oct 06)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Stephane Chazelas (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Kobrin, Eric (Oct 03)
- Re: Shellshock timeline Stephane Chazelas (Oct 03)
- Stéphane Chazelas: How *DID* you find Shellshock? David A. Wheeler (Oct 08)
- Re: Stéphane Chazelas: How *DID* you find Shellshock? stephane.chazelas (Oct 08)
- Re: Shellshock timeline Eric Blake (Oct 03)
- <Possible follow-ups>
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Riot (Oct 04)