Re: bash 2.05.0(1)-release/it.map.gz Slackware 8.0 default and Debian VU#438955

-----BEGIN PGP SIGNED MESSAGE----- Davide,

While reviewing mail today, I came across this post (below) to vuln-dev@security-focus.com, dated 07/24/2002. We've been tracking this vulnerability as VU#438955, but have not seen any responses from the various OS vendors that ship bash. Do you know whether any Unix or Linux vendors have upgraded their version of bash to address this vulnerability?

If you have any further questions, comments, or information regarding this issue, please contact us at <cert@cert.org>. When replying, please include "VU#438955" in the subject of your message.

Thanks,

Jeffrey

• ----------------------------- Jeffrey P. Lanza Internet Security Analyst CERT Coordination Center

Davide Del Vecchio <security@phx.it> writes:
>GNU bash 2.05.0(1)-release/it.map.gz Slackware 8.0 default and Debian
>Stable local dos.
>
>Synopsis:
>Phoenix Sistemi Security Responsable has to notice that Bash version
>2.05.0(1) (Slackware 8.0 default) and Debian Stable one, with it.map.gz
>loaded suffers a silly bug which compromise the use of the some
>characters.
>
>Affected Versions:
>GNU bash, version 2.05.0(1)-release (i386-slackware-linux-gnu)
>with it.map.gz loaded.
>GNU bash Debian Stable with it.map.gz loaded.
>Not tested on other versions.
>
>Description:
>Loading Unicode mapping table...
>Loading /usr/share/kbd/keymaps/i386/qwerty/it.map.gz
>Using an user local account, and typing the ASCII code "1236" from the keypad,
>an user could compromise the use of the keyboard through a bash/it.map bug,
[deleted some lines with non-ASCII characters]

>
>Solutions & Recommendations:
>Install different version of Bash or don't use the it keymap.
>
>Credits:
>Davide Del Vecchio would like to thank his company Phoenix Sistemi and the
>CED especially Bartolomeo Bufi, Antonio Lapadula, Pasquale
>Minervini, Gianluca Nanoia and Michele Tumolo.
>
>Disclaimer:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use Charset: noconv

iQCVAwUBPjrniGjtSoHZUTs5AQEkkwQAvy/OYmCSkq+2/BZs9yQs3FJnnuurxHKd aYu5/mUXjMxOHTHETQYyaIHRGtVnXlAzhKA3ivuEOazF/Z7vvDPxXolRDbdekbWr wyShks5C4IyRmbPHzsg5pJUjB/39cugCYeQX9Mqh9krwaN1AF+0xabz3NKztICcx c+DJ5Y/bEPY=
=66ie
-----END PGP SIGNATURE----- Received on Fri Jan 31 16:31:25 2003