[UFO Chicago] The Bash Bug and the OpenSSL Bug

jay at m5.chicago.il.us jay at m5.chicago.il.us
Fri Oct 31 06:38:09 PDT 2014


Fellow Nerds,

I write seeking someone to give a presentation at a meeting of the
Chicago C/C++ Users' Group (http://meetup.com/Chicago-C-CPP-Users-Group).

Specifically, I have been wanting to have a speaker at the Chicago
C/C++ Users' Group who would give a presentation on the bash bug, the
one that causes it to scan its environment for function definitions,
and to continue executing the environment string even after the end of
the function definition.  Ideally the talk would involve a code
presentation.  I think it is fascinating that this bug has been in
bash for, if I am not mistaken, more than 20 years, and it would be
fascinating for someone to show us the code and address the question
of how such a bug could be undetected for 20 years.

And if that topic is too short to devote an entire meeting to it, we
could couple it with a presentation of the OpenSSL bug, in which a
request for information followed by a buffer size would return as many
bytes of information as were specified in the buffer size, even if it
was more bytes of information than were in the requested information.
This was arguably worse than the bash bug, because the bash bug
affected only one program (albeit the single most frequently-invoked
program in all of Unix), whereas the OpenSSL bug affected every
program that was compiled with OpenSSL.  Again, a code presentation,
coupled with a discussion of how such a bug could possibly have been
undetected (especially since OpenSSL, if I am not mistaken, comes from
the OpenBSD project, which is supposed to have rigorous code-inspection
standards), would, I think, be fascinating.

We would like to have our next meeting in mid-November, if that is
possible, but if not, we will have it whenever the speaker is
available.  Thank you in advance for any and all replies.


                Jay F. Shachter
                6424 N Whipple St
                Chicago IL  60645-4111
                        (1-773)7613784   landline
                        (1-410)9964737   GoogleVoice
                        jay at m5.chicago.il.us
                        http://m5.chicago.il.us

                "This was untrue.  I am not even faintly like a rose."


More information about the ufo mailing list