Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Oct 2014 09:20:11 +0000
From: Sona Sarmadi <sona.sarmadi@...a.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
	"Maxin John" <Maxin.John@...a.com>, Catalin Popeanga
	<Catalin.Popeanga@...a.com>
CC: Shawn <citypw@...il.com>
Subject: RE: more bash parser bugs (CVE-2014-6277,
 CVE-2014-6278)


> That script is a weird mixture of tests that implicitly pay no attention to
> Florian's patch, and therefore do not really demonstrate any security risk:

Thanks Michal, good to know :)

You have a new patch (http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-029), I am sure many wonders what CVE is this for? 
This looks to be related to CVE-2014-7186 ("here document" http://tldp.org/LDP/abs/html/here-docs.html) but the correction is in make_cmd.c
Is this a new vulnerability?

So there isn't still any specific patch for CVE-2014-6277 and CVE-2014-6278  according to your post   (http://www.openwall.com/lists/oss-security/2014/10/02/28)?

> * CVE-2014-6277 - uninitialized memory issue, almost certainly RCE
> found by me. No specific patch yet.

> * CVE-2014-6278 - command injection RCE found by me. No specific patch yet.

But Florian's unofficial patch or its upstream version (bash43-027 & co)  mitigates *ALL* these six so far known CVE, right?

Thanks 
/Sona

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ