oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: more bash parser bugs (CVE-2014-6277, CVE-2014-6278)

From: Sona Sarmadi <sona.sarmadi () enea com>
Date: Thu, 2 Oct 2014 10:38:54 +0000
Thanks Michal,


* CVE-2014-6277 - uninitialized memory issue, almost certainly RCE found by
me. No specific patch yet.


According to shellshock  test (https://shellshocker.net/shellshock_test.sh) 
Florian's patch (Gnu patch bash43-027)  and all other GNU patches (bash43-025 , 
bash43-026   & bash43-027 ) seems to have solved all so far known shellshock  
vulnerabilities.  

root@qemuarm:~# ./shellshock_test.sh
CVE-2014-6271 (original shellshock): not vulnerable bash: shellshocker: command not found
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable

I guess CVE-2014-//// in the "shellshock_test.sh" should be CVE-2014-6277, right?

Thanks
/Sona
Previous By Date Next
Previous By Thread Next

Current thread: