bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

when was shellshock introduced


From: Stephane Chazelas
Subject: when was shellshock introduced
Date: Fri, 10 Oct 2014 22:19:30 +0100
User-agent: Mutt/1.5.21 (2010-09-15)

2014-09-12 15:56:44 -0400, Chet Ramey:
[...]
> Importing exported function definitions was introduced in bash-1.13.
[...]

(bug-bash CCed).

Hi Chet,

I know that in the early day of the discovery, you came to the
conclusion that "shellshock" was introduced in 1.13, mostly my
fault for saying earlier that it was not in 1.05 or in the
ChangeLog while it plainly was.

When asked, you and I ended up spreading the word that it was
introduced in 1.13 and there's now a lot of confusion in the
news and FOSS and security communities around the actual date
the bug was introduced (I've seen 1.03, 1.05, 1.13, 1.14, from the
beginning... Mentioned).

It was then discovered that the feature and vulnerability were
indeed in 1.05 and the ChangeLog in there makes it clear when it
was introduced:

http://www.oldlinux.org/Linux.old/bin/old/bash-1.05/ChangeLog

Fri Sep  1 18:52:08 1989  Brian Fox  (bfox at aurel)

       * readline.c: rl_insert ().  Optimized for large amounts
         of typeahead.  Insert all insertable characters at once.

       * I update this too irregularly.
         Released 1.03.
[...]
Sat Aug  5 08:32:05 1989  Brian Fox  (bfox at aurel)

       * variables.c: make_var_array (), initialize_shell_variables ()
         Added exporting of functions.

(I don't have access to the 1.03 source, but I've no reason to
beleive it was any different than 1,05).


Some discussions in gnu.bash.bug and comp.unix.questions (that
one by you) around that time also mention the new feature.
https://groups.google.com/d/msg/gnu.bash.bug/72jXoIWYsfE/jJqC-fjSh0wJ
https://groups.google.com/d/msg/comp.unix.questions/LwsdchovzFY/qokUr2mfCboJ

More at:
http://thread.gmane.org/gmane.comp.security.oss.general/14177/focus=14181
http://www.dwheeler.com/essays/shellshock.html#timeline
http://thread.gmane.org/gmane.comp.security.oss.general/14177/focus=14190
http://unix.stackexchange.com/questions/157381/when-was-the-shellshock-cve-2014-6271-7169-bug-introduced-and-what-is-the-pat/157495#157495
https://twitter.com/SChazelas/status/518316463225315328

The WikiPedia entry
http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29
got corrected at some point but then reverted for lack of
"authoritative" information (not
http://en.wikipedia.org/wiki/Bash_%28Unix_shell%29 though).

For the sake of correctness, would you mind confirming here that
the bug and feature were indeed introduced in August 1989 and
first released in 1.03 in September that same year, so WikiPedia
can have an "authoritative" source of information?

Thanks,
Stephane



reply via email to

[Prev in Thread] Current Thread [Next in Thread]