Re: CVE-2014-7187 and CVE-2014-6278

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2014-7187 and CVE-2014-6278

From:	Greg Wooledge
Subject:	Re: CVE-2014-7187 and CVE-2014-6278
Date:	Mon, 17 Nov 2014 11:53:08 -0500
User-agent:	Mutt/1.4.2.3i

On Mon, Nov 17, 2014 at 04:22:53PM +0000, Stephane Chazelas wrote:
> The real bug doesn't have a CVE attached to it because it's not
> a vulnerability or bug. It was "allowing the bash parser to be
> exposed to untrusted data", more a very unsafe design that was
> allowing any minor bug to turn into serious vulnerabilities.

Apparently I'm not very good at reading the vague, cryptic wording
in these CVE reports.

What I was trying to say originally was the same thing that you said;
namely, that the real fix to all this mess is bash43-027 which changes
the implementation of exported functions from foo='...' to
BASH_FUNC_foo%%='...'.

[Prev in Thread]

Current Thread

[Next in Thread]

CVE-2014-7187 and CVE-2014-6278, Jack, 2014/11/17
- Re: CVE-2014-7187 and CVE-2014-6278, Greg Wooledge, 2014/11/17
  - Re: CVE-2014-7187 and CVE-2014-6278, Stephane Chazelas, 2014/11/17
    - Re: CVE-2014-7187 and CVE-2014-6278, Greg Wooledge <=

Prev by Date: Re: CVE-2014-7187 and CVE-2014-6278
Next by Date: Re: CVE-2014-7187 and CVE-2014-6278
Previous by thread: Re: CVE-2014-7187 and CVE-2014-6278
Next by thread: Improper array name validation for the 'mapfile' builtin
Index(es):
- Date
- Thread