Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALx_OUDWD2FoneQ6hwGG5cjaN+jHFNPgW2xeZ47OrBzVT3MT+Q@mail.gmail.com>
Date: Mon, 29 Sep 2014 07:45:22 -0700
From: Michal Zalewski <lcamtuf@...edump.cx>
To: oss-security@...ts.openwall.com
Cc: Chester Ramey <chet.ramey@...e.edu>
Subject: Re: Re: CVE-2014-6271: remote code execution through
 bash (3rd vulnerability)

> Am I the only one who is wondering: Who is paying Chet to do this?

Chet probably had a busy couple of weeks because of a piece of code
that went unnoticed for longer than the age of some people posting to
this list. As soon as additional problems with the original fix
cropped up, he also worked pretty hard to adopt a more robust prefix
approach, which shipped upstream about a day ago.

While I'd be the first to line up and just get rid of the affected
functionality, the worries about compatibility with existing code are
pretty valid. Heck, we unexpectedly bumped into issues with that when
fixing the bug at Google. We were surprised to notice that some people
do use function exports in their code, and then, that some of them use
mock object-oriented notation like function foo::bar { ... } - which
actually malfunctioned after the first patch.

So, I don't think there's a lot of value in making random accusations.

/mz

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.