Re: CVE-2014-7187 and CVE-2014-6278

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2014-7187 and CVE-2014-6278

From:	Greg Wooledge
Subject:	Re: CVE-2014-7187 and CVE-2014-6278
Date:	Mon, 17 Nov 2014 08:49:59 -0500
User-agent:	Mutt/1.4.2.3i

On Mon, Nov 17, 2014 at 04:30:07PM +0800, Jack wrote:
> As title, what difference between CVE-2014-7187 and CVE-2014-6278 ?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 says
"Off-by-one error in the read_token_word function in parse.y"
So it's just another dumb parser bug, nothing to do with remote
exploitation really.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 is the
REAL bug.  This is the root cause of all the remote exploitation
badness.  The patches which fix this problem fix remote exploitation
of ALL the dumb parser bugs by closing off the attack vector.

[Prev in Thread]

Current Thread

[Next in Thread]

CVE-2014-7187 and CVE-2014-6278, Jack, 2014/11/17
- Re: CVE-2014-7187 and CVE-2014-6278, Greg Wooledge <=
  - Re: CVE-2014-7187 and CVE-2014-6278, Stephane Chazelas, 2014/11/17
    - Re: CVE-2014-7187 and CVE-2014-6278, Greg Wooledge, 2014/11/17

Prev by Date: CVE-2014-7187 and CVE-2014-6278
Next by Date: Re: CVE-2014-7187 and CVE-2014-6278
Previous by thread: CVE-2014-7187 and CVE-2014-6278
Next by thread: Re: CVE-2014-7187 and CVE-2014-6278
Index(es):
- Date
- Thread