[langsec-discuss] Fwd: ShellShock bug and langsec relation

Jacob Torrey jacob at jacobtorrey.com
Fri Sep 26 17:54:00 UTC 2014


Comes down to the basics, not treating data as formally as we do code, and
allowing the data to drive "weird machine" behavior. If Bash had a stricter
parser for it's input, it wouldn't be an issue.

JT

On Fri, Sep 26, 2014 at 11:18 AM, Sashank Dara <krishna.sashank at gmail.com>
wrote:

> hi,
>
> By now , some of you would have heard about the shellshock bug identified
> and making circles.
>
> below is the environment setting command that has a bug.
>
>
>
> *" env x='() { :;}; echo vulnerable' bash -c "echo this is a test"Source :
> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
> <https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>*
>
> Now from langsec perspective , how do we explain this , anybody ?
>
> Regards,
> Sashank
> http://lnkd.in/88sgfr
>
>
> _______________________________________________
> langsec-discuss mailing list
> langsec-discuss at mail.langsec.org
> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20140926/64284ec6/attachment.html>


More information about the langsec-discuss mailing list