oss-sec mailing list archives
Re: Healing the bash fork
From: "Stuart D. Gathman" <stuart () gathman org>
Date: Wed, 1 Oct 2014 00:03:21 -0400 (EDT)
On Tue, 30 Sep 2014, Michal Zalewski wrote:
You're describing taint tracking, which is actually a pretty hard problem when you realize that data isn't an abstract, immutable entity, but rather something that is used as input for arithmetics, conditional branches, etc (is a byte set as a result of a tainted conditional also tainted? for far-reaching should this effect be?). But more fundamentally, in your example, what does it prove? In practical settings, privileged programs will routinely have data from lower (or at least other) privilege levels in memory, but that doesn't indicate a security problem. In particular, both the fixed and the vulnerable versions of bash will have that property when invoked via a servlet.
It doesn't "prove" anything, but I thought it could maybe narrow down the code to audit carefully. I figured it had already been done.
Current thread:
- Re: Healing the bash fork Michal Zalewski (Sep 30)
- Re: Healing the bash fork Zach Wikholm (Sep 30)
- Re: Healing the bash fork Peter Bex (Sep 30)
- <Possible follow-ups>
- Re: Healing the bash fork Michal Zalewski (Sep 30)
- Re: Healing the bash fork Stuart D. Gathman (Oct 01)
- Re: Healing the bash fork Hanno Böck (Oct 01)
- Re: Healing the bash fork Jason Cooper (Oct 01)
- Re: Healing the bash fork Greg KH (Oct 01)
- Re: Healing the bash fork Jason Cooper (Oct 01)
- Re: Healing the bash fork Greg KH (Oct 01)
- Re: Healing the bash fork Loganaden Velvindron (Oct 01)
- Re: Healing the bash fork Colin Mahns (Oct 01)
- Re: Healing the bash fork Jason Cooper (Oct 01)
- Re: Healing the bash fork Zach Wikholm (Sep 30)
- Re: Healing the bash fork Florian Weimer (Oct 01)
- Re: Healing the bash fork David A. Wheeler (Oct 02)