oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash)

From: Stephane Chazelas <stephane.chazelas () gmail com>
Date: Fri, 3 Oct 2014 22:30:59 +0100
2014-10-03 14:48:19 -0500, Kobrin, Eric:

I've found the shellshock vulnerable code in archives claiming to contain bash 1.05, which also claim to be from 1990 
or 1989.
I was unable to find the source for anything claiming older than 1.05.

[...]

Sorry, I said in the other email that it was not in 1.12. That's
my memory failing. I remember checking that it was not in 1.05
and it was, which is even more than my memory failing. Chet did
tell me that it was added in 1.13 though. I've now found 1.12
(ftp://ftp.it.xemacs.org/%7BD/unix/packages/NCSA/DEC_Alpha/bash-1.12.tar.Z)

and it was there indeed and the ChangeLog also in 1.05 has:

Sat Aug  5 08:32:05 1989  Brian Fox  (bfox at aurel)

        * variables.c: make_var_array (), initialize_shell_variables ()
          Added exporting of functions.


And:

Fri Sep  1 18:52:08 1989  Brian Fox  (bfox at aurel)
[...]
        * I update this too irregularly.
          Released 1.03.


So the feature has indeed been there for over a quarter of a
century since 1.03, and Chet and I have spread misconceptions by
saying that it was added circa 1993.

-- 
Stephane
Previous By Date Next
Previous By Thread Next

Current thread: