[langsec-discuss] Fwd: ShellShock bug and langsec relation

Meredith L. Patterson clonearmy at gmail.com
Fri Sep 26 18:20:38 UTC 2014


TQ and I are at work as we speak on a strict-parsing-based remediation.
Details to follow.

--mlp

On Fri, Sep 26, 2014 at 7:54 PM, Jacob Torrey <jacob at jacobtorrey.com> wrote:

> Comes down to the basics, not treating data as formally as we do code, and
> allowing the data to drive "weird machine" behavior. If Bash had a stricter
> parser for it's input, it wouldn't be an issue.
>
> JT
>
> On Fri, Sep 26, 2014 at 11:18 AM, Sashank Dara <krishna.sashank at gmail.com>
> wrote:
>
>> hi,
>>
>> By now , some of you would have heard about the shellshock bug identified
>> and making circles.
>>
>> below is the environment setting command that has a bug.
>>
>>
>>
>> *" env x='() { :;}; echo vulnerable' bash -c "echo this is a test"Source
>> :
>> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
>> <https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>*
>>
>> Now from langsec perspective , how do we explain this , anybody ?
>>
>> Regards,
>> Sashank
>> http://lnkd.in/88sgfr
>>
>>
>> _______________________________________________
>> langsec-discuss mailing list
>> langsec-discuss at mail.langsec.org
>> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
>>
>>
>
> _______________________________________________
> langsec-discuss mailing list
> langsec-discuss at mail.langsec.org
> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20140926/d42aecc2/attachment.html>


More information about the langsec-discuss mailing list