oss-sec mailing list archives
Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash)
From: Stephane Chazelas <stephane.chazelas () gmail com>
Date: Fri, 3 Oct 2014 22:30:59 +0100
2014-10-03 14:48:19 -0500, Kobrin, Eric:
I've found the shellshock vulnerable code in archives claiming to contain bash 1.05, which also claim to be from 1990 or 1989. I was unable to find the source for anything claiming older than 1.05.
[...] Sorry, I said in the other email that it was not in 1.12. That's my memory failing. I remember checking that it was not in 1.05 and it was, which is even more than my memory failing. Chet did tell me that it was added in 1.13 though. I've now found 1.12 (ftp://ftp.it.xemacs.org/%7BD/unix/packages/NCSA/DEC_Alpha/bash-1.12.tar.Z) and it was there indeed and the ChangeLog also in 1.05 has: Sat Aug 5 08:32:05 1989 Brian Fox (bfox at aurel) * variables.c: make_var_array (), initialize_shell_variables () Added exporting of functions. And: Fri Sep 1 18:52:08 1989 Brian Fox (bfox at aurel) [...] * I update this too irregularly. Released 1.03. So the feature has indeed been there for over a quarter of a century since 1.03, and Chet and I have spread misconceptions by saying that it was added circa 1993. -- Stephane
Current thread:
- Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) David A. Wheeler (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Kobrin, Eric (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Stephane Chazelas (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Kobrin, Eric (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Riot (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Riot (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Stephane Chazelas (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Hanno Böck (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Steve Jones (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Lance Davis (Oct 04)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) David A. Wheeler (Oct 05)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Eric Blake (Oct 06)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Stephane Chazelas (Oct 03)
- Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Kobrin, Eric (Oct 03)