[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE-2014-7187 and CVE-2014-6278
|
From: |
Stephane Chazelas |
|
Subject: |
Re: CVE-2014-7187 and CVE-2014-6278 |
|
Date: |
Mon, 17 Nov 2014 16:22:53 +0000 |
|
User-agent: |
Mutt/1.5.21 (2010-09-15) |
2014-11-17 08:49:59 -0500, Greg Wooledge:
[...]
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 is the
> REAL bug. This is the root cause of all the remote exploitation
> badness. The patches which fix this problem fix remote exploitation
> of ALL the dumb parser bugs by closing off the attack vector.
[...]
The real bug doesn't have a CVE attached to it because it's not
a vulnerability or bug. It was "allowing the bash parser to be
exposed to untrusted data", more a very unsafe design that was
allowing any minor bug to turn into serious vulnerabilities.
CVE-2014-6278 is one of those very minor bugs (probably the most
minor of all, but also one of the most dangerous when the parser
is exposed because it allows remote-code-execution like).
Details are at
http://lcamtuf.blogspot.co.uk/2014/10/bash-bug-how-we-finally-cracked.html
The very minor bug has been fixed. But it has been fixed (and
revealed) after the "real (non-)bug" (the exposing of the parser
to untrusted input) has been fixed, so it is *only* a very minor
bug now.
Some more details at
https://unix.stackexchange.com/questions/157381/when-was-the-shellshock-cve-2014-6271-7169-bug-introduced-and-what-is-the-pat/157495#157495
--
Stephane
>