oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Thoughts on Shellshock and beyond

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Wed, 8 Oct 2014 07:26:25 -0700
Note that the hardening fix that was provided in a rush
post-disclosure is not the best one. [...]
It breaks backward compatibility because it restricts which
functions can be exported. For instance, you can't export a
/bin/rm function anymore (was useful as a debugging tool).


Hmm, wasn't that breakage actually caused by the first (original)
patch, which added a call to legal_identifier()? We had problems with
the patch specifically because it managed to break several instances
where people were trying to export "fake object-oriented" function
names such as foo::bar.

/mz
Previous By Date Next
Previous By Thread Next

Current thread: