oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: more bash parser bugs (CVE-2014-6277, CVE-2014-6278)

From: "Menkhus, Mark (Global Cyber Security SSRT)" <mark.menkhus () hp com>
Date: Thu, 2 Oct 2014 17:30:13 +0000
Hi,

What URL do I point to see the security bugs listed by CVE for CVE for bash43-25 through -28?

I didn't see it in the patches themselves - ftp://ftp.cwru.edu/pub/bash/bash-4.3-patches 

Sorry, I am new to bash culture,
Mark Menkhus
Hewlett Packard

-----Original Message-----
From: Chet Ramey [mailto:chet.ramey () case edu] 
Sent: Thursday, October 02, 2014 8:58 AM
To: Sona Sarmadi; oss-security () lists openwall com
Cc: Solar Designer; chet.ramey () case edu
Subject: Re: [oss-security] more bash parser bugs (CVE-2014-6277, CVE-2014-6278)

On 10/2/14, 3:22 AM, Solar Designer wrote:

Sona - Chet is not on oss-security, we should be CC'ing him on 
relevant messages.  I've just added the CC on this one.

On Thu, Oct 02, 2014 at 06:48:54AM +0000, Sona Sarmadi wrote:

On 10/1/14, 5:04 PM, Shawn wrote:

http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-028


Nope, this one fixes 7168/7169.  It's the equivalent of the `parser-oob' patch.


My mistake, it's 7186/7187.  There are fixes for both in one patch.  The fix for the off-by-one error is not obvious, 
but it's in there in the third chunk.

Chet

--
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet () case edu    http://cnswww.cns.cwru.edu/~chet/
Previous By Date Next
Previous By Thread Next

Current thread: