Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash)

["Kobrin, Eric" <ekobrin () akamai com>]

On Oct 3, 2014, at 5:30 PM, Stephane Chazelas <stephane.chazelas () gmail com> wrote:

> Sorry, I said in the other email that it was not in 1.12. That's
> my memory failing. I remember checking that it was not in 1.05
> and it was, which is even more than my memory failing. Chet did
> tell me that it was added in 1.13 though. I've now found 1.12
> (ftp://ftp.it.xemacs.org/%7BD/unix/packages/NCSA/DEC_Alpha/bash-1.12.tar.Z)

No worries.

The version I used was at: http://www.oldlinux.org/Linux.old/bin/old/bash-1.05/variables.c
Full tar: http://www.oldlinux.org/Linux.old/bin/old/bash-1.05.tar

Brian Fox even wrote a UseNet post advertising the feature on September 8th, 1989 -- just over 25 years before you 
showed the rest of us that it was a vulnerability in disguise:

https://groups.google.com/d/msg/gnu.bash.bug/72jXoIWYsfE/jJqC-fjSh0wJ

If anyone has a copy of bash-1.02 or bash-1.03, I'd love to see it. It should be floating around some of the old NeXT 
archives.

-- Eric Kobrin