Re: CVE-2014-6277, CVE-2014-6278 in stable

To: debian-security-tracker@lists.debian.org
Subject: Re: CVE-2014-6277, CVE-2014-6278 in stable
From: Stephane Chazelas <stephane.chazelas@gmail.com>
Date: Sun, 19 Oct 2014 21:36:44 +0100
Message-id: <[🔎] 20141019203644.GA6025@chaz.gmail.com>
In-reply-to: <[🔎] alpine.DEB.2.11.1410161415450.5552@tglase.lan.tarent.de>
References: <[🔎] alpine.DEB.2.11.1410161415450.5552@tglase.lan.tarent.de>

2014-10-16 14:17:22 +0200, Thorsten Glaser:
[...]
> while the affix patches avoid exploiting these bugs, mostly,
> they are still there.
> 
> http://evolvisforge.blog.tarent.de/archives/93
> 
> Currently, *all* bugs are only fixed in sid, precise, trusty.
> The fixes are still not in testing, nor has stable been updated.
[...]

Once the bash parser is no longer exposed to any environment
variable content, those are hardly a bug anymore let alone a
vulnerability.

Even the original CVE-2014-6271 becomes a non-bug once the
parser is no longer exposed.

See
https://lists.gnu.org/archive/html/bug-bash/2014-10/msg00032.html

The only important patch to apply is the one for something that
didn't get any CVE: that bash parses code in any env var whose
content starts with "() {". See there:

http://unix.stackexchange.com/a/157495/22565

for details.

-- 
Stephane

Reply to:

References:
- CVE-2014-6277, CVE-2014-6278 in stable
  - From: Thorsten Glaser <t.glaser@tarent.de>

Prev by Date: External check
Next by Date: External check
Previous by thread: CVE-2014-6277, CVE-2014-6278 in stable
Next by thread: Bug#766412: security-tracker: DSA-3049-1 vs. tracker
Index(es):
- Date
- Thread