CVE-2014-6271 first patch and remote exploit via CGI

[Reed Black <reed () unsafeword org>]

In the press, there are contrary statements about the initial patches[1]
posted by Florian Weimer. A user on Twitter posted[2] that the patch was
incomplete. There is agreement on that much. Where I see different
responses is on whether the first patch can still be exploited remotely via
the CGI vector outlined in Florian's initial post, and what damage can
still be done. I haven't seen a proof of concept yet, but I also haven't
seen a trusted voice give a definitive statement that it can't be abused.

Could anyone lay out what's still possible for a remote attacker via CGI
with only the first patch applied?

[1] http://seclists.org/oss-sec/2014/q3/650
[2] http://www.openwall.com/lists/oss-security/2014/09/24/33