2014-09-12 15:56:44 -0400, Chet Ramey: [...] > Importing exported function definitions was introduced in bash-1.13. [...]
(bug-bash CCed). Hi Chet, I know that in the early day of the discovery, you came to the conclusion that "shellshock" was introduced in 1.13, mostly my fault for saying earlier that it was not in 1.05 or in the ChangeLog while it plainly was. When asked, you and I ended up spreading the word that it was introduced in 1.13 and there's now a lot of confusion in the news and FOSS and security communities around the actual date the bug was introduced (I've seen 1.03, 1.05, 1.13, 1.14, from the beginning... Mentioned). It was then discovered that the feature and vulnerability were indeed in 1.05 and the ChangeLog in there makes it clear when it was introduced: http://www.oldlinux.org/Linux.old/bin/old/bash-1.05/ChangeLog Fri Sep 1 18:52:08 1989 Brian Fox (bfox at aurel) * readline.c: rl_insert (). Optimized for large amounts of typeahead. Insert all insertable characters at once. * I update this too irregularly. Released 1.03. [...] Sat Aug 5 08:32:05 1989 Brian Fox (bfox at aurel) * variables.c: make_var_array (), initialize_shell_variables () Added exporting of functions. (I don't have access to the 1.03 source, but I've no reason to beleive it was any different than 1,05). Some discussions in gnu.bash.bug and comp.unix.questions (that one by you) around that time also mention the new feature. https://groups.google.com/d/msg/gnu.bash.bug/72jXoIWYsfE/jJqC-fjSh0wJ https://groups.google.com/d/msg/comp.unix.questions/LwsdchovzFY/qokUr2mfCboJ More at: http://thread.gmane.org/gmane.comp.security.oss.general/14177/focus=14181 http://www.dwheeler.com/essays/shellshock.html#timeline http://thread.gmane.org/gmane.comp.security.oss.general/14177/focus=14190 http://unix.stackexchange.com/questions/157381/when-was-the-shellshock-cve-2014-6271-7169-bug-introduced-and-what-is-the-pat/157495#157495 https://twitter.com/SChazelas/status/518316463225315328 The WikiPedia entry http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 got corrected at some point but then reverted for lack of "authoritative" information (not http://en.wikipedia.org/wiki/Bash_%28Unix_shell%29 though). For the sake of correctness, would you mind confirming here that the bug and feature were indeed introduced in August 1989 and first released in 1.03 in September that same year, so WikiPedia can have an "authoritative" source of information? Thanks, Stephane