oss-sec mailing list archives

Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash)

From: Steve Jones <trevd1234 () gmail com>
Date: Sat, 4 Oct 2014 15:15:00 +0100

cd.textfiles.com and archive.org both have a collection of
shareware cd images of a stripes from around that era.
They're probably worth a look.

The GNU bulletins may serve as another useful
historical artifact.

http://www.gnu.org/bulletins/

Bulletin 7 has the bash beta announce and each
issue has a list of ftp download sites. I expect most
are dead but you get lucky

I suspect the trail runs cold in this case due to the
GNUFtp Hack incident of 2003
http://net-security.org/article.php?id=544


On 4 October 2014 14:22, Hanno Böck <hanno () hboeck de> wrote:

Am Sat, 4 Oct 2014 00:19:06 +0100
schrieb Riot <rain.backnet () gmail com>:

We then worked further back in time, unearthing bash 1.08.2 on an
ancient 1991 Atari ST image:
http://images.rymate.co.uk/images/iwaSGPo.png  This was also
vulnerable.  This version is relevant because the first version of
bash ported to linux was bash 1.08 - here's the original post by
Linus at the tender age of  advertising his first build of linux on
the minix newsgroup in 1991, explicitly mentioning bash 1.08.  This
datum told us that shellshock is older than all of linux, which makes
for a nice soundbite for the press.

Going back further proved very difficult because few archives
including these early versions exist anywhere, and by all accounts
the early releases were buggy and not particularly portable.  We
eventually managed to locate an image for an obscure Japanese
Human68k containing bash 1.05.  Here it identifies itself as bash
1.05 X6_19: http://images.rymate.co.uk/images/kH8VnTo.png  The file
is dated 12/08/1991... and of course it's vulnerable:
http://images.rymate.co.uk/images/zTYm05I.png



Can you post the relevant download links to the atari st / 68k images
and other possibly interesting stuff? Or where they from private
archives?

I think independently of current events this might be interesting for
people digging in IT history, so having them somewhere easy to find
would be nice.

--
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Current thread:

Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) David A. Wheeler (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Kobrin, Eric (Oct 03)
  - Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Stephane Chazelas (Oct 03)
    - Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Kobrin, Eric (Oct 03)
    - Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Riot (Oct 03)
    - Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Riot (Oct 03)
    - Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Stephane Chazelas (Oct 04)
    - Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Hanno Böck (Oct 04)
    - Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Steve Jones (Oct 04)
    - Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Lance Davis (Oct 04)
    - Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) David A. Wheeler (Oct 05)
    - Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Eric Blake (Oct 06)
- Re: Shellshock timeline Stephane Chazelas (Oct 03)
  - Re: Shellshock timeline Stephane Chazelas (Oct 03)
    - Stéphane Chazelas: How *DID* you find Shellshock? David A. Wheeler (Oct 08)
    - Re: Stéphane Chazelas: How *DID* you find Shellshock? stephane.chazelas (Oct 08)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Eric Blake (Oct 03)
  - Re: Shellshock timeline Eric Blake (Oct 03)
- <Possible follow-ups>
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Riot (Oct 04)