oss-sec mailing list archives

RE: more bash parser bugs (CVE-2014-6277, CVE-2014-6278)

From: Sona Sarmadi <sona.sarmadi () enea com>
Date: Fri, 3 Oct 2014 10:28:24 +0000

So there isn't still any specific patch for CVE-2014-6277 and CVE-2014-6278
according to your post   (http://www.openwall.com/lists/oss-
security/2014/10/02/28)?

* CVE-2014-6277 - uninitialized memory issue, almost certainly RCE
found by me. No specific patch yet.

* CVE-2014-6278 - command injection RCE found by me. No specific patch

yet.

But Florian's unofficial patch or its upstream version (bash43-027 & co)
mitigates *ALL* these six so far known CVE, right?


I found some good answer here, thanks Michal :)
http://lcamtuf.blogspot.se/2014/10/bash-bug-how-we-finally-cracked.html

Current thread:

RE: more bash parser bugs (CVE-2014-6277, CVE-2014-6278), (continued)
- - - RE: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Sona Sarmadi (Oct 01)
    - Re: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Solar Designer (Oct 02)
    - Re: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Chet Ramey (Oct 02)
    - RE: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Menkhus, Mark (Global Cyber Security SSRT) (Oct 02)
    - RE: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Sona Sarmadi (Oct 02)
    - RE: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Menkhus, Mark (Global Cyber Security SSRT) (Oct 02)
    - Re: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Michal Zalewski (Oct 02)
    - RE: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Sona Sarmadi (Oct 02)
    - Re: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Michal Zalewski (Oct 02)
    - RE: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Sona Sarmadi (Oct 03)
    - RE: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Sona Sarmadi (Oct 03)