lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAH8yC8=1DU=jiA=LRT2y3uUJ+nxuJbOQ9f2DWzqgsjOB6FCD1A@mail.gmail.com> Date: Thu, 5 Jun 2014 22:51:39 -0400 From: Jeffrey Walton <noloader@...il.com> To: Hector Marco <hecmargi@....es> Cc: oss-security@...ts.openwall.com, bugs@...uritytracker.com, BugTraq <bugtraq@...urityfocus.com>, Full Disclosure List <fulldisclosure@...lists.org> Subject: Re: [FD] [oss-security] Bug in bash <= 4.3 [security feature bypassed] > 2014-06-03 16:16 GMT+02:00 Hector Marco <hecmargi@....es>: > > Hi everyone, > > Recently we discovered a bug in bash. After some time after reporting > it to bash developers, it has not been fixed. > > We think that this is a security issue because in some circumstances > the bash security feature could be bypassed allowing the bash to be a > valid target shell in an attack. > > We strongly recommend to patch your bash code. > > Why don't fix this bug by simple adding mandatory "if" clause ? > Any comments about this issue are welcomed. > > > Details at: > http://hmarco.org/bugs/bash_4.3-setuid-bug.html It looks like Rage Against The Cage has been rediscovered. Also known as Android ADB Setuid bug. Jeff _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists