Re: CVE-2014-6277, CVE-2014-6278

To: debian-security@lists.debian.org
Subject: Re: CVE-2014-6277, CVE-2014-6278
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Mon, 29 Sep 2014 14:41:02 -0300
Message-id: <[🔎] 20140929174102.GA6192@khazad-dum.debian.net>
In-reply-to: <[🔎] CA+koCTUyL+Nq_QN3REJqjjtODYpCAo=jr5jiA5S3eLGPpzvOVA@mail.gmail.com>
References: <[🔎] CA+koCTUyL+Nq_QN3REJqjjtODYpCAo=jr5jiA5S3eLGPpzvOVA@mail.gmail.com>

On Mon, 29 Sep 2014, john wrote:
> So I am confused. I think what I am reading here is that if you applied
> the latest patches to bash [3] you are not vulnerable to CVE-2014-6277.
> CVE-2014-6278. Running the test outlined on Icamtuf.blogspot.co.nz [4]
> seemed to confirm that.

AFAIK, we are still vulnerable to CVE-2014-6277 and CVE-2014-6278, but not
through any interesting attack vectors:  Debian included the RedHat change
that moves the functions to the BASH_FUNC_<name>() namespace in the DSA-3035
fix.

However, should someone find a way to inject BASH_FUNC_foo()='<whatever
triggers these undisclosed bugs>' into the environment, the attack is going
to succeed.  To twart that, we have to wait until the embargo is lifted and
the real fix for CVE-2014-6277 and CVE-2014-6278 gets uploaded/published.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

References:
- CVE-2014-6277, CVE-2014-6278
  - From: john <lists.john@gmail.com>

Prev by Date: CVE-2014-6277, CVE-2014-6278
Previous by thread: CVE-2014-6277, CVE-2014-6278
Index(es):
- Date
- Thread