On Wed, Sep 24, 2014 at 6:23 PM, Chet Ramey <chet.ramey () case edu> wrote:

On 9/24/14, 5:32 PM, Solar Designer wrote: On Wed, Sep 24, 2014 at 11:27:09PM +0200, Hanno B??ck wrote: Tavis Ormandy just tweetet this: https://twitter.com/taviso/status/514887394294652929 The bash patch seems incomplete to me, function parsing is still brittle. e.g. $ env X='() { (a)=>\' sh -c "echo date"; cat echo Thanks for bringing this to oss-security. I've added CC to Chet and Tavis on this "reply". I have a fix for this.

Can you provide a pointer to the patch? I put together a patch that changed the report_error() to fatal_error() as I wasn't able to see how to reset the parser state. Was just about to send it out...