[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2014-7187 and CVE-2014-6278

From: Stephane Chazelas
Subject: Re: CVE-2014-7187 and CVE-2014-6278
Date: Mon, 17 Nov 2014 16:22:53 +0000
User-agent: Mutt/1.5.21 (2010-09-15)

2014-11-17 08:49:59 -0500, Greg Wooledge:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 is the
> REAL bug.  This is the root cause of all the remote exploitation
> badness.  The patches which fix this problem fix remote exploitation
> of ALL the dumb parser bugs by closing off the attack vector.

The real bug doesn't have a CVE attached to it because it's not
a vulnerability or bug. It was "allowing the bash parser to be
exposed to untrusted data", more a very unsafe design that was
allowing any minor bug to turn into serious vulnerabilities.

CVE-2014-6278 is one of those very minor bugs (probably the most
minor of all, but also one of the most dangerous when the parser
is exposed because it allows remote-code-execution like).

Details are at

The very minor bug has been fixed. But it has been fixed (and
revealed) after the "real (non-)bug" (the exposing of the parser
to untrusted input) has been fixed, so it is *only* a very minor
bug now.

Some more details at


reply via email to

[Prev in Thread] Current Thread [Next in Thread]