oss-sec mailing list archives

Re: Healing the bash fork

From: "Stuart D. Gathman" <stuart () gathman org>
Date: Wed, 1 Oct 2014 00:03:21 -0400 (EDT)

On Tue, 30 Sep 2014, Michal Zalewski wrote:

You're describing taint tracking, which is actually a pretty hard
problem when you realize that data isn't an abstract, immutable
entity, but rather something that is used as input for arithmetics,
conditional branches, etc (is a byte set as a result of a tainted
conditional also tainted? for far-reaching should this effect be?).

But more fundamentally, in your example, what does it prove? In
practical settings, privileged programs will routinely have data from
lower (or at least other) privilege levels in memory, but that doesn't
indicate a security problem. In particular, both the fixed and the
vulnerable versions of bash will have that property when invoked via a servlet.


It doesn't "prove" anything, but I thought it could maybe narrow down the
code to audit carefully.  I figured it had already been done.

Current thread:

Re: Healing the bash fork Michal Zalewski (Sep 30)
- Re: Healing the bash fork Zach Wikholm (Sep 30)
  - Re: Healing the bash fork Peter Bex (Sep 30)
- <Possible follow-ups>
- Re: Healing the bash fork Michal Zalewski (Sep 30)
  - Re: Healing the bash fork Stuart D. Gathman (Oct 01)
- Re: Healing the bash fork Hanno Böck (Oct 01)
  - Re: Healing the bash fork Jason Cooper (Oct 01)
    - Re: Healing the bash fork Greg KH (Oct 01)
    - Re: Healing the bash fork Jason Cooper (Oct 01)
    - Re: Healing the bash fork Greg KH (Oct 01)
    - Re: Healing the bash fork Loganaden Velvindron (Oct 01)
    - Re: Healing the bash fork Colin Mahns (Oct 01)
- Re: Healing the bash fork Tomas Hoger (Oct 01)
  - Re: Healing the bash fork Florian Weimer (Oct 01)
    - Re: Healing the bash fork David A. Wheeler (Oct 02)

(Thread continues...)