Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3230301C09DEF9499B442BBE162C5E48257574C5@SESTOEX04.enea.se>
Date: Fri, 3 Oct 2014 09:20:11 +0000
From: Sona Sarmadi <sona.sarmadi@...a.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
	"Maxin John" <Maxin.John@...a.com>, Catalin Popeanga
	<Catalin.Popeanga@...a.com>
CC: Shawn <citypw@...il.com>
Subject: RE: more bash parser bugs (CVE-2014-6277,
 CVE-2014-6278)


> That script is a weird mixture of tests that implicitly pay no attention to
> Florian's patch, and therefore do not really demonstrate any security risk:

Thanks Michal, good to know :)

You have a new patch (http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-029), I am sure many wonders what CVE is this for? 
This looks to be related to CVE-2014-7186 ("here document" http://tldp.org/LDP/abs/html/here-docs.html) but the correction is in make_cmd.c
Is this a new vulnerability?

So there isn't still any specific patch for CVE-2014-6277 and CVE-2014-6278  according to your post   (http://www.openwall.com/lists/oss-security/2014/10/02/28)?

> * CVE-2014-6277 - uninitialized memory issue, almost certainly RCE
> found by me. No specific patch yet.

> * CVE-2014-6278 - command injection RCE found by me. No specific patch yet.

But Florian's unofficial patch or its upstream version (bash43-027 & co)  mitigates *ALL* these six so far known CVE, right?

Thanks 
/Sona

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.